The ZENO contract’s constructor sets businessAddress—the recipient of USDC payments—without verifying it’s not the zero address (0x0). If deployed with a zero address, all buy() transactions fail, locking the contract into a useless state. While low-likelihood due to deployment diligence, the high-impact outcome makes this a critical fix.
The constructor assigns businessAddress without a check. If set to 0x0, the usdc.transferFrom() call in buy() reverts because ERC20 tokens like USDC reject transfers to the zero address. Example:
Deployer mistakenly sets businessAddress to 0x0.
A user attempts to buy ZENO, but the transfer fails, halting all auction activity.
Funds remain with users, but the contract cannot fulfill its purpose until redeployed.
The contract becomes non-functional upon deployment with a zero address, preventing all purchases and undermining its purpose. Although the likelihood is low (requiring human error), the impact is severe, necessitating a new deployment and potentially losing user trust or funds tied to the broken instance.
Static Analysis Tools: Slither to flag missing zero-address validation.
Add a zero-address check in the constructor:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.