Zero Address at Constructor #60
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
edited-by-warden
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyFactory.sol#L21-L22
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernanceNFT.sol#L44-L46
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/party/PartyGovernance.sol#L266-L268
https://github.com/PartyDAO/party-contracts-c4/blob/main/contracts/proposals/FractionalizeProposal.sol#L34-L36
Vulnerability details
Impact
Zero address check for
globals
andvaultFactory
should be implemented when deploying the contract. This is because there is no setter functions catered for the associated immutable variables. In the event a mistake was done, not only that all calls associated with them would be non-functional, the contract(s) would also have to be redeployed.Proof of Concept
A zero address could accidentally be assigned to
globals
orvaultFactory
, rendering the deployed contract obsolete.Recommended Mitigation Steps
The constructor should typically be refactored as follows:
The text was updated successfully, but these errors were encountered: