Missing zero-address checks on contract initialization #74
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
1 (Low Risk)
This was referenced Dec 10, 2021
0xScotch
added
the
sponsor confirmed
|
Input validation is a industry standard finding with low severity |
This was referenced Jan 22, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
hyh
Vulnerability details
Impact
Being instantiated with wrong configuration, the contract is inoperable and deploy gas costs will be lost.
If misconfiguration is noticed too late the various types of malfunctions become possible.
Proof of Concept
The checks for zero addresses during contract construction and initialization are considered to be the best-practice.
Now basically all the contract do not check for correctness of constructor arguments:
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/Malt.sol#L29
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/RewardSystem/RewardOverflowPool.sol#L25
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/TransferService.sol#L25
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/ForfeitHandler.sol#L31
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/MiningService.sol#L30
https://github.com/code-423n4/2021-11-malt/blob/main/src/contracts/DexHandlers/UniswapHandler.sol#L47
...
Recommended Mitigation Steps
Add zero-address checks and key non-address variables checks in all contract constructors. Small increase of gas costs are far out weighted by wrong deploy costs savings and additional coverage against misconfiguration.
The text was updated successfully, but these errors were encountered: