Thunder Loan
AI First Flight #7
Beginner FriendlyFoundryDeFiOracle
EXP
View results
Previous Next
Submission Details
Impact: low
Likelihood: low
Invalid

[L-04] Missing address(0) check in OracleUpgradeable.__Oracle_init_unchained()

sharonkosgei4

Root + Impact

Description

  • s_poolFactory is assigned without validating that poolFactoryAddress is not address(0). If the owner passes a zero address accidentally or otherwise during initialisation, all calls to getPriceInWeth() will revert because IPoolFactory calls on address(0) fail — bricking fee calculation and all flash loans.

function __Oracle_init_unchained(address poolFactoryAddress) internal onlyInitializing {
s_poolFactory = poolFactoryAddress; // no zero-address check
}

Risk

Likelihood:

  • Only triggerable during initialisation; requires an operator mistake or malicious deployment.

Proof of Concept

If address(0) is passed during initialization, s_poolFactory is set to zero. Every subsequent call to getPriceInWeth() will revert when it tries to call IPoolFactory(address(0)).getPool(token), making fee calculation impossible and bricking all flash loans permanently with no upgrade path.

thunderLoan.initialize(address(0)); // accepted — no revert
thunderLoan.flashloan(receiver, token, amount, "");
// reverts: IPoolFactory(address(0)).getPool(token) — invalid call

Recommended Mitigation

Add a zero-address guard at the top of the initializer so a misconfigured deployment fails fast rather than silently storing an unusable address.

function __Oracle_init_unchained(address poolFactoryAddress) internal onlyInitializing {
+ if (poolFactoryAddress == address(0)) revert OracleUpgradeable__ZeroAddress();
s_poolFactory = poolFactoryAddress;
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!