Bid Beasts

First Flight #49

Beginner FriendlyFoundrySolidityNFT

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

Missing Zero Address Validation in Constructor (Deployment Failure + Contract Unusability)

yoyi

Missing Zero Address Validation in Constructor (Deployment Failure + Contract Unusability)

Description

The constructor should validate that critical address parameters are not zero addresses to prevent deployment with invalid configurations that would render the contract unusable.
The constructor fails to validate the _BidBeastsNFT parameter, allowing the contract to be deployed with a zero address for the NFT contract, which would cause all NFT-related operations to fail.

In src/BidBeastsNFTMarketPlace.sol:

constructor(address _BidBeastsNFT) {

@> BBERC721 = BidBeasts(_BidBeastsNFT);

}

Risk

Likelihood:

Contract deployment occurs during initial setup when human error in providing constructor parameters is most likely.
Zero address is a common default value that could be accidentally passed during deployment scripts or manual deployment.

Impact:

Contract becomes completely unusable as all NFT operations (listing, transferring, ownership checks) will revert.
Requires expensive redeployment and migration of any existing state or integrations.

Proof of Concept

First we need to make a quick fix in test/BidBeastsMarketPlaceTest.t.sol:BidBeastsNFTMarketTest::setUp()

function setUp() public {

// Deploy contracts

- vm.prank(OWNER);

+ vm.startPrank(OWNER);

nft = new BidBeasts();

market = new BidBeastsNFTMarket(address(nft));

rejector = new RejectEther();

vm.stopPrank();

// Fund users

vm.deal(SELLER, STARTING_BALANCE);

vm.deal(BIDDER_1, STARTING_BALANCE);

vm.deal(BIDDER_2, STARTING_BALANCE);

}

Please add the following test to test/BidBeastsMarketPlaceTest.t.sol:

function testZeroAddressDepoly() public {

BidBeastsNFTMarket failMarket = new BidBeastsNFTMarket(address(0));

}

Then run forge test --mt testZeroAddressDepoly:

Output:

Ran 1 test for test/BidBeastsMarketPlaceTest.t.sol:BidBeastsNFTMarketTest

[PASS] testZeroAddressDepoly() (gas: 2344864)

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 585.95µs (69.76µs CPU time)

Recommended Mitigation

constructor(address _BidBeastsNFT) {

+ require(_BidBeastsNFT != address(0), "BidBeasts NFT contract cannot be zero address");

BBERC721 = BidBeasts(_BidBeastsNFT);

}

Updates

Lead Judging Commences

cryptoghost Lead Judge 2 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

170

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!