updateVerifier() Does Not Validate New Verifier Address Can Be Set to address(0)
Root + Impact
Description
The constructor correctly validates
if (_verifier == address(0)) revert InvalidVerifier().updateVerifier(), which replaces the verifier at runtime, performs no such check, allowing the owner to accidentally (or maliciously, post-key-compromise) set the verifier toaddress(0)or any non-contract address.
Risk
Likelihood:
Requires a compromised or negligent owner key unlikely but non-zero.
Impact:
-
Setting
verifier = address(0)causesverifier.verify(...)to revert on all futureclaim()calls, permanently bricking the hunt without a recovery path while the contract still holds funds. -
Even if caught quickly, the contract must be unpaused → re-paused → verifier updated, during which time the hunt is halted.
Proof of Concept
Recommended Mitigation
Mirror the constructor's validation in updateVerifier():
Lead Judging Commences
no zero-address check in updateVerifier()
The issue is that `updateVerifier()` allows the owner to replace the verifier with an arbitrary address, including `address(0)`, even though the constructor explicitly treats a zero verifier as invalid and reverts with `InvalidVerifier()` during initial deployment. In other words, the contract establishes at deployment time that a null verifier address is not an acceptable configuration, but then fails to preserve that same invariant when the verifier is later updated through the admin recovery path.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.