Innocent Turquoise Barracuda
Medium
The aggregatorContract is passed as an argument during the initialization of the contract, but if the address provided is address(0), it cannot be changed after deployment. This creates an issue as functions like acceptLendingOffer() and addFunds() depend on the aggregator to authorize actions, but address(0) cannot authorize them, effectively blocking these operations.
inDebitaLendOffer-Implementation.sol#L82
there is a missing check if the address(0) is not zero and if it address(0) then it cant be changed
No response
No response
No response
Once the contract is deployed with address(0) for the aggregatorContract, the lending offer cannot be accepted or updated, as the aggregator is an essential component for authorization. Since the aggregator address cannot be changed, the contract becomes unusable, locking the funds and preventing any lending actions.
which means
modifier onlyAggregator() {
require(msg.sender == aggregatorContract, "Only aggregator");
_;
} function acceptLendingOffer(
uint amount
) public onlyAggregator nonReentrant onlyAfterTimeOut {
// Function logic
}this function cant be called because it only the aggregator that can call it
No response
Ensure that the aggregatorContract is always set to a valid, non-zero address before deployment. Implement a fallback check during initialization to revert the transaction if aggregatorContract is set to address(0):
require(_aggregatorContract != address(0), "Aggregator contract cannot be address(0)");Add a function to allow changing the aggregatorContract address post-deployment, but restrict it to trusted addresses or the contract owner only, to avoid future issues:
function setAggregatorContract(address _aggregatorContract) external onlyOwner {
require(_aggregatorContract != address(0), "Aggregator contract cannot be address(0)");
aggregatorContract = _aggregatorContract;
}