Missing zero address validation in RCOrderbook.sol

[code423n4]

Handle

maplesyrup

Vulnerability details

Impact

1 - Low Risk

• The issue reported does not cause any immediate risk to fund or information but any confusion in development process or accidental side effects may arise from the contract if bug is left unaddressed.

Proof of Concept

According to the Slither-analyzer documentation (https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation), the following functions need a way to verify that the address in variable is not 0x0 or is the correct address that ownership/funds need to be sent to. This makes sure that funds/ownership are not lost accidentally.

---

RCOrderbook.constructor(address,address)._factoryAddress

(contracts/RCOrderbook.sol line(s)#106)

lacks a zero-check on:

factoryAddress = _factoryAddress
(contracts/RCOrderbook.sol line(s)#107)

---

Console output (Slither log):

INFO:Detectors:
RCMarket.initialize(uint256,uint32[],uint256,uint256,address,address,address[],address,string)._artistAddress (contracts/RCMarket.sol#196) lacks a zero-check on :
- artistAddress = _artistAddress (contracts/RCMarket.sol#229)
RCMarket.initialize(uint256,uint32[],uint256,uint256,address,address,address[],address,string)._marketCreatorAddress (contracts/RCMarket.sol#199) lacks a zero-check on :
- marketCreatorAddress = _marketCreatorAddress (contracts/RCMarket.sol#230)
RCMarket.initialize(uint256,uint32[],uint256,uint256,address,address,address[],address,string)._affiliateAddress (contracts/RCMarket.sol#197) lacks a zero-check on :
- affiliateAddress = _affiliateAddress (contracts/RCMarket.sol#231)
RCOrderbook.constructor(address,address)._factoryAddress (contracts/RCOrderbook.sol#106) lacks a zero-check on :
- factoryAddress = _factoryAddress (contracts/RCOrderbook.sol#107)
RCOrderbook.constructor(address,address)._treasuryAddress (contracts/RCOrderbook.sol#106) lacks a zero-check on :
- treasuryAddress = _treasuryAddress (contracts/RCOrderbook.sol#108)
BridgeMockup.requireToPassMessage(address,bytes,uint256)._RCProxyAddress (contracts/mockups/BridgeMockup.sol#13) lacks a zero-check on :
- (_success) = _RCProxyAddress.call{value: (0)}(_data) (contracts/mockups/BridgeMockup.sol#18)
BridgeMockup.setProxyL1Address(address)._newAddress (contracts/mockups/BridgeMockup.sol#38) lacks a zero-check on :
- oracleProxyMainnetAddress = _newAddress (contracts/mockups/BridgeMockup.sol#39)
BridgeMockup.setProxyL2Address(address)._newAddress (contracts/mockups/BridgeMockup.sol#42) lacks a zero-check on :
- oracleProxyXdaiAddress = _newAddress (contracts/mockups/BridgeMockup.sol#43)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation

Tools Used

Solidity Compiler 0.8.4
Hardhat v2.3.3
Slither v0.8.0

Compiled, Tested, Deployed contracts on a local hardhat network.

Ran Slither-analyzer for further detecting and testing.

Recommended Mitigation Steps

(Worked best under python venv)

1. Clone Project Repository
2. Run Project against Hardhat network;
   compile and run default test on contracts.
3. Installed slither analyzer:
   https://github.com/crytic/slither
4. Ran [$ slither .] against RCOrderbook.sol and all contracts to verify results

[Splidge]

Duplicate of #56

[dmvt]

duplicate of #56