NFT Dealers
First Flight #58
Beginner FriendlyFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: low

Owner can be set to zero address (report)

Author Revealed upon completion

Because the constructor assigns owner = _owner without checking for address(0), deploying with a zero owner permanently disables all owner‑only functions.

Description

  • behavior: the contract owner should be a valid non-zero address to ensure owner-only functions remain callable.

  • Issue: the constructor assigns owner = _owner without validating _owner != address(0), allowing deployment with a zero owner.

*@> constructor(...) {
@> owner = _owner;
@> ...
@> }

Risk

Likelihood:

  • Deployment occurs with a misconfigured or uninitialized owner address.

  • Scripts or deployment tooling pass address(0) by mistake.

Impact:

  • Owner-only functions (revealCollection, whitelistWallet, removeWhitelistedWallet, withdrawFees) become permanently inaccessible.

  • Protocol administration and fee withdrawal can be irrevocably locked.

Proof of Concept

/* PoC Steps (tools included):
1) Slither (trailofbits/eth-security-toolbox): flagged missing-zero-check on constructor _owner.
2) Manual review: confirmed owner is assigned directly without a zero-address guard.
3) Deployment script / Foundry (tooling): deploy NFTDealers with _owner = address(0).
4) On-chain call: attempt revealCollection() or withdrawFees(); onlyOwner fails, proving ownership is locked.
*/

Recommended Mitigation

Deployments fail fast if the owner is misconfigured. We can also set owner = msg.sender and remove the _owner parameter entirely to avoid this class of error.

- owner = _owner;
+ require(_owner != address(0), "invalid owner");
+ owner = _owner;

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!