Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: low

Likelihood: low

No Zero-Address Validation in initialize()

Author Revealed upon completion

Root + Impact

Location: src/Stratax.sol:173-187

Description

initialize() sets all core protocol addresses in a single call that can never be repeated. None of the five address parameters are validated against address(0). A deployment script error permanently misconfigures the proxy with no correction path.

// src/Stratax.sol:173-187

function initialize(

address _aavePool, // @> no zero-address check

address _aaveDataProvider, // @> no zero-address check

address _oneInchRouter, // @> no zero-address check

address _usdc, // @> no zero-address check

address _strataxOracle // @> no zero-address check

) external initializer {

aavePool = IPool(_aavePool);

...

}

Risk

Likelihood:

Deployment scripts that pass environment variables in the wrong order or miss a variable produce address(0) silently
The initializer modifier prevents correction — the mistake is permanent

Impact:

A zero aavePool address causes every position operation to revert on the first Aave call
A zero strataxOracle causes all price-dependent calculations to revert
Proxy must be abandoned and redeployed, losing the intended contract address

Proof of Concept

// SPDX-License-Identifier: UNLICENSED

pragma solidity ^0.8.13;

import {Test} from "forge-std/Test.sol";

import {Stratax} from "../../src/Stratax.sol";

import {BeaconProxy} from "@openzeppelin/contracts/proxy/beacon/BeaconProxy.sol";

contract ZeroAddressInitPoCTest is Test {

function test_initializeWithZeroAavePoolSucceeds() public {

Stratax impl = new Stratax();

// Deployment script passes address(0) for aavePool by mistake

bytes memory initData = abi.encodeWithSelector(

Stratax.initialize.selector,

address(0), // @> zero aavePool — no check, accepted silently

address(0x111),

address(0x222),

address(0x333),

address(0x444)

);

BeaconProxy proxy = new BeaconProxy(address(impl), initData);

Stratax stratax = Stratax(address(proxy));

// Contract initialized but aavePool is address(0)

assertEq(address(stratax.aavePool()), address(0));

// Cannot re-initialize — permanently broken

vm.expectRevert();

stratax.initialize(address(0x100), address(0x111), address(0x222), address(0x333), address(0x444));

}

Recommended Mitigation

Add require checks for each address parameter at the top of initialize(). Since initialize() can only be called once; they act as the only deployment-time guard. Catching zero addresses early prevents the proxy from being permanently misconfigured.

+ require(_aavePool != address(0), "Invalid aavePool");

+ require(_aaveDataProvider != address(0), "Invalid dataProvider");

+ require(_oneInchRouter != address(0), "Invalid router");

+ require(_usdc != address(0), "Invalid USDC");

+ require(_strataxOracle != address(0), "Invalid oracle");

aavePool = IPool(_aavePool);

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!