Submission Details
Impact:
Likelihood:
Address State Variable Set Without Checks
Description
-
Contract constructors should validate critical address parameters to prevent deployment with invalid configurations.
-
The
BidBeastsNFTMarketPlace::BBERC721state variable is set in the constructor without validating that the address is not zero, which could lead to a non-functional contract.
@> BBERC721 = BidBeasts(_BidBeastsNFT);
Risk
Likelihood:
-
Occurs if deployer accidentally passes zero address during deployment
-
Would require complete contract redeployment to fix
Impact:
-
Contract becomes completely unusable
-
All NFT-related operations would fail
Proof of Concept
function test_LOW_L2_AddressStateVariableWithoutChecks() public {
// Deploy marketplace with zero address (should be prevented)
vm.prank(OWNER);
BidBeastsNFTMarket badMarket = new BidBeastsNFTMarket(address(0));
// Contract accepts zero address
assertEq(address(badMarket.BBERC721()), address(0), "Should have zero address");
// This will cause failures when trying to use the contract
vm.expectRevert();
badMarket.listNFT(0, MIN_PRICE, BUY_NOW_PRICE);
}
Recommended Mitigation
constructor(address _BidBeastsNFT) {
+ require(_BidBeastsNFT != address(0), "BidBeasts NFT address cannot be zero");
BBERC721 = BidBeasts(_BidBeastsNFT);
}
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.