Oracle initializer accepts a zero pool-factory address, permanently bricking price lookups
Oracle initializer accepts a zero pool-factory address, permanently bricking price lookups
Description
__Oracle_init_unchained assigns the pool factory address with no validation, and ThunderLoan.initialize passes tswapAddress straight through. If address(0) is supplied, getPriceInWeth will always revert.
Notably, AssetToken already guards its constructor with revertIfZeroAddress, so the oracle's omission is an inconsistency within the same codebase.
Risk
Likelihood:
Requires a deployment/initialization mistake (zero address passed at init). Low likelihood since it is a one-time owner action, but trivial to get wrong.
Impact:
Every call to getPriceInWeth reverts because IPoolFactory(address(0)).getPool fails, which breaks getCalculatedFee and therefore deposit and flashloan. Since initialize is initializer-guarded, it cannot be re-run to fix the value — the deployment is bricked.
Proof of Concept
Initialize with the zero address and observe price lookups revert.
Recommended Mitigation
Reject the zero address during initialization, mirroring AssetToken.revertIfZeroAddress.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.