SNARKeling Treasure Hunt
First Flight #59
Beginner FriendlyGameFiFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: low

Lacking zero address check on updating verifier

Author Revealed upon completion

Root + Impact

Description

  • When attempting to update the verifier to a zero address, the protocol should revert with `InvalidVerifier` custom error; otherwise, the claim functionality of the contract will always revert


function updateVerifier(IVerifier newVerifier) external {
require(paused, "THE_CONTRACT_MUST_BE_PAUSED");
require(msg.sender == owner, "ONLY_OWNER_CAN_UPDATE_VERIFIER");
//@audit The new verifier should not be the zero address or the current verifier.
@> verifier = newVerifier;
emit VerifierUpdated(address(newVerifier));
}

Risk

Likelihood:

  • Low: When the owner attempts to update the verifier with the zero address


Impact:

  • High: If updated to the zero address, each call to the verify function of the Verifierwill revert blocking the claiming reward functionality of the protocol

Proof of Concept


  • The owner pauses the contract

  • The owner updates the verifier to the zero address

  • The owner unpauses the contract

function testUpdateVerifierToZeroAddressSuccess() public {
vm.startPrank(owner);
hunt.pause();
hunt.updateVerifier(IVerifier(address(0)));
hunt.unpause();
vm.stopPrank();
assertEq(address(hunt.getVerifier()), address(0));
}

Recommended Mitigation

  • Add a zero address check, which reverts with InvalidVerifier custom error

function updateVerifier(IVerifier newVerifier) external {
require(paused, "THE_CONTRACT_MUST_BE_PAUSED");
require(msg.sender == owner, "ONLY_OWNER_CAN_UPDATE_VERIFIER");
+ if (address(newVerifier) == address(0) || address(newVerifier) == address(verifier)) {
+ revert InvalidVerifier();
+ }
verifier = newVerifier;
emit VerifierUpdated(address(newVerifier));
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!