Core Contracts

Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Submission Details
Severity: high
Invalid

No Zero Address Check for businessAddress

Summary

The ZENO contract’s constructor sets businessAddress—the recipient of USDC payments—without verifying it’s not the zero address (0x0). If deployed with a zero address, all buy() transactions fail, locking the contract into a useless state. While low-likelihood due to deployment diligence, the high-impact outcome makes this a critical fix.

Vulnerability Details

The constructor assigns businessAddress without a check. If set to 0x0, the usdc.transferFrom() call in buy() reverts because ERC20 tokens like USDC reject transfers to the zero address. Example:

Deployer mistakenly sets businessAddress to 0x0.
A user attempts to buy ZENO, but the transfer fails, halting all auction activity.
Funds remain with users, but the contract cannot fulfill its purpose until redeployed.

Impact

The contract becomes non-functional upon deployment with a zero address, preventing all purchases and undermining its purpose. Although the likelihood is low (requiring human error), the impact is severe, necessitating a new deployment and potentially losing user trust or funds tied to the broken instance.

Tools Used

Static Analysis Tools: Slither to flag missing zero-address validation.

Recommendations

Add a zero-address check in the constructor:

require(_businessAddress != address(0), "Invalid business address");```
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.