Submission Details
Severity:
Missing zero address validation in `LikeRegistry` constructor (Input Validation + Contract Initialization Risk)
Description: The LikeRegistry constructor accepts an address parameter _profileNFT but does not validate if it's a zero address. The address is used to initialize the critical profileNFT variable which is essential for the contract's core functionality.
constructor(address _profileNFT) Ownable(msg.sender) {
profileNFT = SoulboundProfileNFT(_profileNFT); // No zero-address check
}
Impact:
If deployed with address(0), the contract would need to be redeployed
All functions that interact with
profileNFTwould failCould lead to unnecessary gas costs from failed deployment
Proof of Concept:
// This deployment would succeed but make the contract unusable
LikeRegistry registry = new LikeRegistry(address(0));
// All these functions would fail when trying to use profileNFT
registry.likeUser(); // reverts
registry.matchRewards(); // reverts
Recommended Mitigation: Add a zero address check in the constructor:
+ error LikeRegistry__ZeroProfileNFTAddress();
constructor(address _profileNFT) Ownable(msg.sender) {
+ if(_profileNFT == address(0)) {
+ revert LikeRegistry__ZeroProfileNFTAddress();
+ }
profileNFT = SoulboundProfileNFT(_profileNFT);
}
Rewards breakdown
nSLOC
197This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.