Submission Details
Impact:
Likelihood:
Missing Zero Address Check in Constructor of the `BidBeastsNFTMarketplace` contract
Description
-
Constructors should validate that critical contract addresses are not zero to prevent deployment with invalid configurations.
-
The constructor accepts the BidBeasts NFT contract address without validating that it's not the zero address.
constructor(address _BidBeastsNFT) {
@> BBERC721 = BidBeasts(_BidBeastsNFT);
}
Risk
Likelihood:
-
Occurs if deployer accidentally passes zero address during deployment
-
Would require contract redeployment to fix
Impact:
-
Contract becomes unusable with zero address
-
All NFT operations would fail
Proof of Concept
function test_LOW_MissingZeroAddressCheckConstructor() public {
// Deploy with zero address (should fail but doesn't)
vm.prank(OWNER);
BidBeastsNFTMarket badMarket = new BidBeastsNFTMarket(address(0));
// Contract deploys successfully with zero address
assertEq(
address(badMarket.BBERC721()),
address(0),
"Should have zero address"
);
// This will cause issues when trying to use the contract
vm.expectRevert();
badMarket.listNFT(0, MIN_PRICE, BUY_NOW_PRICE);
}
Recommended Mitigation
constructor(address _BidBeastsNFT) {
+ require(_BidBeastsNFT != address(0), "BidBeasts NFT address cannot be zero");
BBERC721 = BidBeasts(_BidBeastsNFT);
}
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.