-
Notifications
You must be signed in to change notification settings - Fork 0
No validation for constructor arguments in OLEToken.sol #53
Copy link
Copy link
Open
Labels
0 (Non-critical)Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisationCode style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisationbugSomething isn't workingSomething isn't workingsponsor acknowledgedTechnically the issue is correct, but we're not going to resolve it for XYZ reasonsTechnically the issue is correct, but we're not going to resolve it for XYZ reasons
Description
Metadata
Metadata
Assignees
Labels
0 (Non-critical)Code style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisationCode style, clarity, syntax, versioning, off-chain monitoring (events etc), exclude gas optimisationbugSomething isn't workingSomething isn't workingsponsor acknowledgedTechnically the issue is correct, but we're not going to resolve it for XYZ reasonsTechnically the issue is correct, but we're not going to resolve it for XYZ reasons
Handle
jayjonah8
Vulnerability details
Impact
In OLEToken.sol the constructor takes in two addresses and two strings and simply sets them in storage without any validation checks.
Proof of Concept
https://github.com/code-423n4/2022-01-openleverage/blob/main/openleverage-contracts/contracts/gov/OLEToken.sol#L41
Tools Used
Manual code review
Recommended Mitigation Steps
Add validation checks for addresses in the constructor. Require that they are not the same and the string args should also be unique. The addresses should also not be able to be zero addresses.