Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 170/185
Findings: 1
Award: $2.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
If a smart contract accepts an invalid address without proper validation, it can lead to various issues and vulnerabilities. Here are some potential consequences:
Loss of Funds: If the contract involves financial transactions and doesn't properly validate addresses, funds could be sent to an address that is not controlled by any user. This would result in a loss of funds with no way to recover them.
Functionality Issues: Accepting invalid addresses might lead to unexpected behavior or errors in the contract's logic. This could impact the overall functionality of the smart contract.
Security Vulnerabilities: Allowing invalid addresses could introduce security vulnerabilities, making it easier for attackers to exploit the contract. For example, an attacker might use an invalid address to manipulate the contract's state or disrupt its normal operation.
Reentrancy Attacks: If the invalid address is used as part of a callback mechanism or interacts with other contracts, it might open the door to reentrancy attacks.
The code if (address_ == address(0)) in Solidity is checking whether the variable address_ is equal to the Ethereum address 0x0000000000000000000000000000000000000000, which represents the null address or zero address.
This check is commonly used to determine whether an address has been set or initialized. However, it's important to note that it doesn't guarantee that the address is valid or that it corresponds to a deployed contract. It only checks if the address is the zero address.
If you want to check whether an address is valid and corresponds to a deployed contract, you may want to use additional checks, such as checking the bytecode size at the given address. For example:
if (address_ == address(0)) { // Address not set } else { uint size; assembly { size := extcodesize(address_) } if (size > 0) { // Address corresponds to a deployed contract } else { // Address is not the zero address, but it is not a deployed contract } }
Other
#0 - c4-pre-sort
2023-11-16T19:42:41Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2023-11-16T19:43:02Z
raymondfam marked the issue as duplicate of #69
#2 - c4-judge
2023-11-29T20:58:12Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-11-29T21:02:47Z
fatherGoose1 marked the issue as grade-b