Submission Details
Impact:
Likelihood:
M-2: No Zero-Address Validation in Constructor
Author Revealed upon completion
Description:
The constructor does not validate that _owner or _usdc are non-zero addresses:
constructor(address _owner, address _usdc, ...) {
owner = _owner; // ← no zero-address check
usdc = IERC20(_usdc); // ← no zero-address check
...
}
Deploying with address(0) for either parameter would permanently brick ownership or make all USDC operations revert, with no recovery path.
Recommended Mitigation:
constructor(address _owner, address _usdc, ...) {
if (_owner == address(0)) revert InvalidAddress();
if (_usdc == address(0)) revert InvalidAddress();
owner = _owner;
usdc = IERC20(_usdc);
...
}
Proof of Concept (Forge):
function test_constructor_zeroAddressOwner() public {
vm.expectRevert(); // Should revert with InvalidAddress
new NFTDealers(
address(0), // zero owner
address(usdc),
"NFTDealers", "NFTD", "https://example.com", 20e6
);
}
function test_constructor_zeroAddressUSDC() public {
vm.expectRevert();
new NFTDealers(
owner,
address(0), // zero USDC
"NFTDealers", "NFTD", "https://example.com", 20e6
);
}
Rewards breakdown
nSLOC
253This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.