No Zero Address Check for businessAddress
Summary
The ZENO contract’s constructor sets businessAddress—the recipient of USDC payments—without verifying it’s not the zero address (0x0). If deployed with a zero address, all buy() transactions fail, locking the contract into a useless state. While low-likelihood due to deployment diligence, the high-impact outcome makes this a critical fix.
Vulnerability Details
The constructor assigns businessAddress without a check. If set to 0x0, the usdc.transferFrom() call in buy() reverts because ERC20 tokens like USDC reject transfers to the zero address. Example:
Deployer mistakenly sets businessAddress to 0x0.
A user attempts to buy ZENO, but the transfer fails, halting all auction activity.
Funds remain with users, but the contract cannot fulfill its purpose until redeployed.
Impact
The contract becomes non-functional upon deployment with a zero address, preventing all purchases and undermining its purpose. Although the likelihood is low (requiring human error), the impact is severe, necessitating a new deployment and potentially losing user trust or funds tied to the broken instance.
Tools Used
Static Analysis Tools: Slither to flag missing zero-address validation.
Recommendations
Add a zero-address check in the constructor:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.