Stratax Contracts

First Flight #57

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Missing Zero-Address Validation in Initializer Can Lead to Irrecoverable Misconfiguration

Author Revealed upon completion

Missing Zero-Address Validation in Initializer Can Lead to Irrecoverable Misconfiguration

Description:
The initialize function assigns critical protocol dependencies without validating that the provided addresses are non-zero:

function initialize(

address _aavePool,

address _aaveDataProvider,

address _oneInchRouter,

address _usdc,

address _strataxOracle

) external initializer {

@> aavePool = IPool(_aavePool);

@> aaveDataProvider = IProtocolDataProvider(_aaveDataProvider);

@> oneInchRouter = IAggregationRouter(_oneInchRouter);

@> USDC = _usdc;

strataxOracle = _strataxOracle;

owner = msg.sender;

flashLoanFeeBps = 9;

}

If any of these parameters is mistakenly set to address(0), the contract will be initialized with invalid dependencies.
Because this is an upgradeable contract using initializer, the function can only be executed once, making the misconfiguration permanent.

This is especially dangerous for:

aavePool
oneInchRouter
strataxOracle

as they are core to protocol execution and external calls.

Impact:
A wrong initialization can brick the contract or cause undefined behavior:

Calls to address(0) will revert, disabling core functionality (flash loans, swaps, oracle reads).
Funds could become stuck if operations depend on these integrations.
The contract cannot be reinitialized to fix the mistake.
Requires redeployment and migration, which is operationally risky and expensive.

This represents a configuration risk with permanent consequences, particularly relevant during deployment or upgrades.

Proof of Concept:

Deployment script mistakenly passes a zero address:

stratax.initialize(

address(aavePool),

address(0), // Misconfigured

address(oneInchRouter),

usdc,

oracle

);

The contract is now locked with:

aaveDataProvider == address(0);

Any function relying on it will revert:

aaveDataProvider.getReserveConfigurationData(...); // revert

Since initializer prevents re-calling initialize, the contract cannot be repaired.

Recommended Mitigation:
Validate all critical inputs during initialization:

function initialize(

address _aavePool,

address _aaveDataProvider,

address _oneInchRouter,

address _usdc,

address _strataxOracle

) external initializer {

+ require(_aavePool != address(0), "Invalid Aave pool");

+ require(_aaveDataProvider != address(0), "Invalid data provider");

+ require(_oneInchRouter != address(0), "Invalid 1inch router");

+ require(_usdc != address(0), "Invalid USDC");

+ require(_strataxOracle != address(0), "Invalid oracle");

aavePool = IPool(_aavePool);

aaveDataProvider = IProtocolDataProvider(_aaveDataProvider);

oneInchRouter = IAggregationRouter(_oneInchRouter);

USDC = _usdc;

strataxOracle = _strataxOracle;

owner = msg.sender;

flashLoanFeeBps = 9;

}

to avoid the use of magic numbers and improve clarity.

Rewards breakdown

nSLOC

356

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!