Constructor Does Not Validate Critical Addresses Against `address(0)`
Constructor Does Not Validate Critical Addresses Against address(0)
Description
The constructor sets critical addresses (owner and usdc) without validating that inputs are non-zero.
If _owner is address(0), owner-only administrative functionality becomes permanently inaccessible. If _usdc is address(0), ERC20 interactions (mint/list/buy/settlement flows) are misconfigured and can revert or behave unexpectedly.
Risk
Likelihood:
-
The issue occurs at deployment time when constructor arguments are supplied.
-
Deployment scripts and manual deployments are common sources of parameter mistakes.
Impact:
-
owner = address(0)can permanently lock admin operations (onlyOwner). -
usdc = address(0)breaks core protocol token flows and can render the system unusable.
Proof of Concept
Deploy with
_owner = address(0).Call any
onlyOwnerfunction (e.g.,revealCollection()) from a regular account.Call reverts forever because no EOA can satisfy
owner == msg.sender.
Alternative:
Deploy with
_usdc = address(0).Call
mintNft()orbuy().ERC20 call path is invalid due to a zero token address, causing core flows to fail.
Recommended Mitigation
Validate constructor inputs and revert on zero addresses.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.