Missing zero-address check in setters #83
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
duplicate
This issue or pull request already exists
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Handle
palina
Vulnerability details
Impact
Missing checks for zero-addresses may lead to tokens being burned and lost, if the variable addresses are updated incorrectly.
Proof of Concept
NestedBuybacker:: setNestedReserve(): https://github.com/code-423n4/2021-11-nested/blob/5d113967cdf7c9ee29802e1ecb176c656386fe9b/contracts/NestedBuybacker.sol#L68,
setFeeSplitter(): https://github.com/code-423n4/2021-11-nested/blob/5d113967cdf7c9ee29802e1ecb176c656386fe9b/contracts/NestedBuybacker.sol#L74,
NestedRecords::setReserve(): https://github.com/code-423n4/2021-11-nested/blob/5d113967cdf7c9ee29802e1ecb176c656386fe9b/contracts/NestedRecords.sol#L180
Tools Used
Recommended Mitigation Steps
Consider adding zero-address checks in the discussed setter functions:
require(newAddr != address(0));
.The text was updated successfully, but these errors were encountered: