Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

No check for msg.sender != address(0) in propose function of Governance.sol

dystopiaxyz

Summary

The function propose does not check whether msg.sender is the zero address (address(0)). This could lead to unexpected behavior if the function is ever called by an external contract or a smart contract that does not have a proper sender identity.

Vulnerability Details

The function retrieves the voting power of msg.sender using _veToken.getVotingPower(msg.sender), but does not validate whether msg.sender is address(0).

Impact

Storage Bloat: If address(0) is able to propose transactions, a malicious actor could exploit this to store large amounts of data, consuming blockchain storage.

Blocking Other Proposals: If address(0) successfully submits proposals (due to lack of validation), these proposals could fill the governance queue, making it harder for legitimate proposals to be processed.

Tools Used

Manual Review

Recommendations

Explicit Check for Zero Address: Add a require statement to prevent msg.sender == address(0):

function propose(
address[] memory targets,
uint256[] memory values,
bytes[] memory calldatas,
string memory description,
ProposalType proposalType
) external override returns (uint256) {
>> require(msg.sender != address(0), "Invalid sender: zero address");
uint256 proposerVotes = _veToken.getVotingPower(msg.sender);
....
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.