Core Contracts

## Summary

The constructor of the Auction contract lacks essential input validation checks. Specifically, it does not validate that the auction's start time is earlier than the end time, nor does it ensure that critical address parameters (such as the ZENO token, USDC token, business address, and initial owner) are non-zero. Without these checks, the contract can be deployed in a misconfigured state, which can lead to malfunctioning auctions, misdirected token transfers, or loss of control over the contract.

## Vulnerability Details

• Affected Code:
  The Auction contract's constructor:

  constructor(

  address _zenoAddress,

  address _usdcAddress,

  address _businessAddress,

  uint256 _startTime,

  uint256 _endTime,

  uint256 _startingPrice,

  uint256 _reservePrice,

  uint256 _totalAllocated,

  address _initialOwner

  ) Ownable(_initialOwner) {

  zeno = ZENO(_zenoAddress);

  usdc = IUSDC(_usdcAddress);

  businessAddress = _businessAddress;

  state = AuctionState({

  startTime: _startTime,

  endTime: _endTime,

  startingPrice: _startingPrice,

  reservePrice: _reservePrice,

  totalAllocated: _totalAllocated,

  totalRemaining: _totalAllocated,

  lastBidTime: 0,

  lastBidder: address(0)

  });

  }

• Issues Identified:

  • Time Validation:
    The contract does not check that the auction's start time is less than the end time. This could lead to an auction that either never starts or ends immediately, which would render the auction process ineffective or malfunctioning.

  • Zero Address Checks:
    Critical parameters such as _zenoAddress, _usdcAddress, _businessAddress, and _initialOwner are not checked to ensure that they are not zero addresses. If any of these addresses are set to zero, token transfers (such as USDC payments or ZENO token minting) could be misdirected or fail altogether, leading to loss of funds or contract malfunction.

## Impact

• Auction Malfunction:
  Without validating that the start time is earlier than the end time, the auction may not function as expected. For example, it could end immediately, causing the auction to be ineffective, or it could start after the end time, which doesn't make sense in the context of an auction.

## Tools Used

Manual Code Review

## Recommendations

1. Validate Time Parameters:
   Ensure that the auction start time is earlier than the end time to avoid a non-functional auction:

   require(_startTime < _endTime, "Start time must be less than end time");

2. Validate Critical Addresses:
   Add checks to ensure that critical address parameters are not set to the zero address. This is essential for ensuring that token transfers and minting functions operate as intended:

   require(_zenoAddress != address(0), "ZENO address cannot be zero");

   require(_usdcAddress != address(0), "USDC address cannot be zero");

   require(_businessAddress != address(0), "Business address cannot be zero");

   require(_initialOwner != address(0), "Initial owner cannot be zero");