Assessment reports>Empiric Oracle>Discussion>Assert non-zero value

Assert admin_address_storage is set to non-zero value in only_admin

The only_admin function, found in the admin/library.cairo file, is used to check if the caller is the specified admin for the contract. This code is used in a couple of contracts in the repository, allowing the protocol operators to perform maintenance tasks like adding publishers.

Currently, the only_admin function does not validate that the admin_address_storage variable was previously initialized. In an uninitialized state, the value of this variable is 0. This, coupled with the fact that get_caller_address will return 0 if the contract is directly invoked, suggests that if improper initialization were to occur with the contract that callers that directly invoked this contract would be treated as administrators.

Upon review of the codebase, we found no such case of improper initialization of the admin code in any of the in-scope contracts. While this design decision did not rise to the level of a security issue as it was used correctly everywhere, it is our recommendation that the check that this field has been initialized be added for future security of any additional admin functionality.

It is worth noting, however, that similar to the "publish entry non-zero check" finding, that due to the transition to Starknet 0.10.0, this will likely not be an issue going forward.

Zellic © 2023Back to top ↑