Allowing Zero Address for Fee Collector in setFeeCollector Function
Summary
Allowing the fee collector address to be set to the zero address without explicit confirmation can lead to confusion and potential misuse. Implementing an explicit confirmation mechanism and conducting thorough audits and testing are essential to address this issue and enhance the security and reliability of the contract. The severity of this issue is classified as low to medium, depending on the potential impact on the contract's functionality and user experience.
Vulnerability Details
The setFeeCollector function in the RAACToken contract allows the fee collector address to be set to the zero address. While this is intended to disable fee collection, it does not revert if _feeCollector is set to the zero address. This can lead to confusion and potential misuse, as it may not be clear whether fee collection is intentionally disabled or if it is an error.
Impact
Confusion: Allowing the fee collector to be set to the zero address without reverting can lead to confusion about whether fee collection is intentionally disabled or if it is an error.
Potential Misuse: If the zero address is set unintentionally, it can lead to potential misuse or loss of fee collection functionality.
Tools Used
manual review
Recommendations
Explicit Confirmation: Implement an explicit confirmation mechanism to ensure that setting the fee collector to the zero address is intentional.
Audit and Testing: Conduct a thorough audit and testing of the contract to ensure that the fee collection logic is correctly implemented and secure.
Revert if feeCollector is zero instead of emit.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.