Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Missing Constructor Validations in Auction Contract

xcrypt

Summary

The constructor of the Auction contract lacks essential input validation checks. It does not verify that the auction start time is earlier than the end time, nor does it ensure that critical address parameters (such as the ZENO token, USDC token, business address, and initial owner) are non-zero. Without these validations, the contract can be deployed in a misconfigured state, potentially leading to malfunctioning auctions and unintended behavior.

Vulnerability Details

Affected Code:
The Auction contract's constructor:

constructor(
address _zenoAddress,
address _usdcAddress,
address _businessAddress,
uint256 _startTime,
uint256 _endTime,
uint256 _startingPrice,
uint256 _reservePrice,
uint256 _totalAllocated,
address _initialOwner
) Ownable(_initialOwner) {
zeno = ZENO(_zenoAddress);
usdc = IUSDC(_usdcAddress);
businessAddress = _businessAddress;
state = AuctionState({
startTime: _startTime,
endTime: _endTime,
startingPrice: _startingPrice,
reservePrice: _reservePrice,
totalAllocated: _totalAllocated,
totalRemaining: _totalAllocated,
lastBidTime: 0,
lastBidder: address(0)
});
}
Issues Identified:
- Time Validation:
  There is no check to ensure that _startTime is less than _endTime. This could result in an auction that never starts or ends improperly.
- Zero Address Checks:
  Critical addresses such as _zenoAddress, _usdcAddress, _businessAddress, and _initialOwner are not validated against the zero address. This omission can lead to misdirected token transfers or loss of control over the contract.

Impact

Auction Malfunction:
Without ensuring that the auction start time is before the end time, the auction may never commence or might end immediately, rendering the auction process ineffective.
Loss of Funds and Control:
If any of the required addresses are set to the zero address, token transfers (such as USDC payments or ZENO token minting) could be misdirected or fail altogether, potentially leading to loss of funds or control.
Increased Deployment Risk:
Deploying a contract with invalid parameters increases the risk of operational failures and may require a costly redeployment or manual intervention to correct the errors.

Tools Used

Manual Code Review

Recommendations

Validate Time Parameters:
Add a check to ensure that the auction start time is strictly before the end time:

require(_startTime < _endTime, "Start time must be less than end time");
Validate Critical Addresses:
Ensure that each address parameter is not the zero address:

require(_zenoAddress != address(0), "ZENO address cannot be zero");
require(_usdcAddress != address(0), "USDC address cannot be zero");
require(_businessAddress != address(0), "Business address cannot be zero");
require(_initialOwner != address(0), "Initial owner cannot be zero");

Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.