Lucene search

K
code423n4Code4renaCODE423N4:2023-08-ARBITRUM-FINDINGS-ISSUES-246
HistoryAug 10, 2023 - 12:00 a.m.

Missing validation to ensure that the _l2CoreGovTimelock parameter is not the zero address in the initialize function

2023-08-1000:00:00
Code4rena
github.com
2
smart contract security
missing validation
ethereum vulnerabilities

Lines of code

Vulnerability details

Impact

The initialize function accepts a parameter _l2CoreGovTimelock and does check if it’s a contract address using Address.isContract(). However, there’s no explicit check to ensure that _l2CoreGovTimelock is not the zero address (0x0000000000000000000000000000000000000000), which is a common source of issues in Ethereum smart contracts.

Proof of Concept

Assigning the zero address to _l2CoreGovTimelock may lead to undesired behaviors, lost funds, or security vulnerabilities, depending on how _l2CoreGovTimelock is used throughout the contract.

Tools Used

Manual

Recommended Mitigation Steps

Add a check at the start of the initialize function to ensure that _l2CoreGovTimelock is not the zero address:

require(_l2CoreGovTimelock != address(0), "_l2CoreGovTimelock cannot be the zero address");

Assessed type

Invalid Validation


The text was updated successfully, but these errors were encountered:

All reactions