Core Contracts

Summary

Several setter functions in the StabilityPool contract lack checks to ensure that the provided addresses are non-zero. This oversight may result in the zero address being registered for critical roles, such as a manager, RAACMinter, or Liquidity Pool. Registering an invalid (zero) address can lead to misallocation of funds, unexpected behavior during contract interactions, and operational disruptions. Although this issue primarily affects efficiency and correctness rather than posing a direct security risk, it is classified as a low-severity issue.

Affected Functions

1. addManager Function:

   /**

   * @notice Adds a new manager with a specified allocation.

   * @param manager Address of the manager to add.

   * @param allocation Allocation amount for the manager.

   */

   function addManager(address manager, uint256 allocation) external onlyOwner validAmount(allocation) {

   // @info: missing zero address check

   if (managers[manager]) revert ManagerAlreadyExists();

   managers[manager] = true;

   managerAllocation[manager] = allocation;

   totalAllocation += allocation;

   managerList.push(manager);

   emit ManagerAdded(manager, allocation);

   }

   Issue: The function does not check whether manager is the zero address.

2. setRAACMinter Function:

   /**

   * @notice Sets the RAACMinter contract address.

   * @param _raacMinter Address of the new RAACMinter contract.

   */

   function setRAACMinter(address _raacMinter) external onlyOwner {

   // @info: missing zero address check

   raacMinter = IRAACMinter(_raacMinter);

   }

   Issue: The function lacks a check to ensure _raacMinter is non-zero.

3. setLiquidityPool Function:

   /**

   * @notice Sets the liquidity pool address.

   * @param _liquidityPool Address of the liquidity pool.

   */

   function setLiquidityPool(address _liquidityPool) external onlyOwner {

   // @info: missing zero address check

   liquidityPool = _liquidityPool;

   emit LiquidityPoolSet(_liquidityPool);

   }

   Issue: This function also does not verify that _liquidityPool is a non-zero address before setting it.

Impact

• Correctness Issues:
  Allowing the zero address to be used in critical settings can lead to errors in fund allocation and may disrupt administrative functions.

• Operational Disruption:
  Subsequent operations that depend on these addresses (e.g., manager actions, RAACMinter functions, liquidity pool interactions) could fail or behave unpredictably if they reference an invalid address.

• Severity:
  This is a low-severity issue because it does not directly compromise funds or critical operations but affects the overall correctness and efficiency of the protocol.

Tools Used

• Manual Review

• Foundry

Recommendations

For each affected function, add a check to ensure that the provided address is not the zero address. Example modifications:

1. addManager Function:

2. setRAACMinter Function:

3. setLiquidityPool Function: