Skip to content

Latest commit

 

History

History
40 lines (31 loc) · 1.55 KB

082.md

File metadata and controls

40 lines (31 loc) · 1.55 KB
Raw

Nice Black Bull

Medium

The VVVVCInvestmentLedger constructor does not include a check to prevent passing a zero address for its parameters.

Summary

The VVVVCInvestmentLedger constructor does not include a check to prevent passing a zero address for its parameters. Without this validation, it is possible to initialize the contract with invalid addresses, which could be problematic as these parameters cannot be updated after deployment.

Impact

https://github.com/sherlock-audit/2024-11-vvv-exchange-update/blob/main/vvv-platform-smart-contracts/contracts/vc/VVVVCInvestmentLedger.sol#L123

If the constructor parameters are set to the zero address (0x0), the contract will have a crucial reference set to an invalid address. This could lead to the invalidity and inability to sign investment transactions.

Mitigation

  • Add a check to validate the parameter of _signer
    constructor(
        address _signer,
        string memory _environmentTag,
        address _authorizationRegistryAddress,
        uint256 _exchangeRateDenominator
    ) VVVAuthorizationRegistryChecker(_authorizationRegistryAddress) {
+ require(_signer != address(0), "Signer cannot be address 0");
        signer = _signer;
        exchangeRateDenominator = _exchangeRateDenominator;

        // EIP-712 domain separator
        DOMAIN_SEPARATOR = keccak256(
            abi.encode(
                DOMAIN_TYPEHASH,
                keccak256(abi.encodePacked("VVV", _environmentTag)),
                block.chainid,
                address(this)
            )
        );
    }