Missing zero-address checks on LockeERC20 and Stream construction #68
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
Comments
code423n4
added
1 (Low Risk)
This was referenced Jan 16, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
hyh
Vulnerability details
Impact
Being instantiated with wrong configuration, the contract is inoperable and deploy gas costs will be lost.
If misconfiguration is noticed too late the various types of malfunctions become possible.
Proof of Concept
The checks for zero addresses during contract construction and initialization are best-practices.
Now LockeERC20 and Stream contracts do not check for correctness of constructor arguments:
LockeERC20
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/LockeERC20.sol#L56
Stream
https://github.com/code-423n4/2021-11-streaming/blob/main/Streaming/src/Locke.sol#L263
Recommended Mitigation Steps
Add zero-address checks and key non-address variables checks in all contract constructors. Small increase of gas costs are far out weighted by wrong deploy costs savings and additional coverage against misconfiguration.
The text was updated successfully, but these errors were encountered: