Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Lack of Input Validation in Constructor

ibukunola

Summary

The ZENO contract’s constructor lacks validation for critical parameters like the USDC address and maturity date, risking deployment with invalid values. This high-likelihood, high-impact flaw could prevent all redemptions, locking user funds permanently if the contract is misconfigured (e.g., with a zero USDC address).

##Vulnerability Details
The constructor accepts _usdc and _maturityDate without checks. For example:

The contract is deployed with _usdc as the zero address.
Users mint 100,000 ZENO tokens backed by USDC deposits.
At maturity, all redemption attempts fail due to the invalid USDC address.
Alternatively, a past _maturityDate could block functionality from the start, rendering the contract useless.

Impact

The impact is catastrophic: all user funds could be locked indefinitely due to a single deployment error. With a high likelihood of human error during deployment, this vulnerability threatens the entire system, leading to total capital loss and irreparable damage to trust.

Tools Used

Testing Frameworks: Foundry to test deployment with invalid parameters.

Recommendations

Implement robust validation in the constructor:

constructor(
address _usdc,
uint256 _maturityDate,
string memory _name,
string memory _symbol,
address _initialOwner
) Ownable(_initialOwner) ERC20(_name, _symbol) {
require(_usdc != address(0), "Invalid USDC address");
require(_maturityDate > block.timestamp, "Maturity must be future");
require(IERC20(_usdc).decimals() == 6, "Invalid USDC token");
USDC = IERC20(_usdc);
MATURITY_DATE = _maturityDate;
}```
Updates

Lead Judging Commences

inallhonesty Lead Judge 2 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.