Missing Zero Address Check in Constructor of `ScrvusdVerifierV1.sol`
Summary
The constructors in both ScrvusdVerifierV1.sol and its child contract ScrvusdVerifierV2.sol do not validate that the provided oracle addresses are non-zero. This could lead to the deployment of non-functional contracts if zero addresses are accidentally provided.
Vulnerability Details
In ScrvusdVerifierV1.sol, the constructor accepts two address parameters and assigns them to immutable variables without verifying that they are not the zero address:
If either _block_hash_oracle or _scrvusd_oracle is the zero address (0x0), the contract will be deployed with permanently invalid references, requiring redeployment.
Since ScrvusdVerifierV2.sol inherits from ScrvusdVerifierV1.sol and uses its constructor, it is also affected by this issue.
Impact
If deployed with a zero address for either oracle:
The contract would be non-functional from the start
Since the addresses are immutable, the contract would need to be redeployed
This would cause operational delay but no direct fund loss
The practical impact is limited since this issue would be detected immediately during deployment testing before the contract interacts with real assets.
Tools Used
Manual code review
Recommendations
Add zero address validation in the constructor:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.