Missing zero address checks and core configuration variables checks in most contracts #78
Labels
0 (Non-critical)
Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisation
bug
Something isn't working
duplicate
This issue or pull request already exists
Comments
code423n4
added
1 (Low Risk)
|
Duplicate to #57 |
0xleastwood
added
0 (Non-critical)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
hyh
Vulnerability details
Impact
Being instantiated with a wrong configuration, the contracts are inoperable.
As in this case the variable list is big enough, a wrong value can go unnoticed and cause various malfunctions down the road.
Proof of Concept
The following initialize/constructor functions miss configuration variables checks.
OpenLevV1:
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/OpenLevV1.sol#L46
ControllerV1:
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/ControllerV1.sol#L33
XOLE:
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/XOLE.sol#L40
FarmingPools:
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/farming/FarmingPools.sol#L46
XOLEDelegator :
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/XOLEDelegator.sol#L17
Recommended Mitigation Steps
Add checks for zero addresses and control the values supplied for all core configuration variables
The text was updated successfully, but these errors were encountered: