Anubis - Lack of Input Validation in Constructor #21
Labels
Excluded
Excluded by the judge without consulting the protocol or the senior
Non-Reward
This issue will not receive a payout
Anubis
medium
Lack of Input Validation in Constructor
Summary
The GovernorBravoDelegator contract's constructor does not perform thorough validation on the input parameters, potentially allowing the contract to be initialized with invalid or malicious addresses.
Vulnerability Detail
The constructor of the GovernorBravoDelegator contract accepts several parameters, including timelock_, gohm_, kernel_, and implementation_, which are critical for the contract's functionality. However, there is a lack of comprehensive validation on these inputs, which could lead to the contract being initialized with incorrect or malicious addresses.
Impact
Initializing the contract with incorrect or malicious addresses can lead to malfunctioning governance processes, security vulnerabilities, or other operational risks.
Code Snippet
https://github.com/sherlock-audit/2024-01-olympus-on-chain-governance/blob/main/bophades/src/external/governance/GovernorBravoDelegator.sol#L10-L38
Tool used
Manual Review
Recommendation
Implement rigorous input validation in the constructor to ensure that all parameters are checked for validity before being used to initialize the contract. Consider the following validations:
Here's a code snippet illustrating how you might implement input validation in the constructor:
By adding these checks, you can prevent the contract from being initialized with invalid parameters, thereby reducing the risk of misconfiguration or vulnerabilities in the governance process.
The text was updated successfully, but these errors were encountered: