Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Ethereum and Blast Exchanges>Informational findings>Missing zero-address check
GeneralOverview
Findings
High (2)
Medium (1)
Low (3)
Informational (2)Incorrect event-parameter orderMissing zero-address check
DiscussionLack of documentationCentralization risksEnforce a more recent Solidity version
Threat ModelWhat are threat models?BfxDepositU.solBfxU.solBfxVaultU.solPoolDepositU.solRabbitU.solVaultU.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

Missing zero-address check

Informational Severity
Informational Impact
N/A Likelihood

Description

The timelock address is allowed to upgrade the contracts, and its address is set during contract initialization. However, the address value is not checked to be nonzero. This address cannot be changed later.

This remark applies also for other addresses like owner, _defaultToken, or _signer. However, some of them may be changed later by the timelock address.

Impact

If by accident the timelock is initialized to zero, the contracts will not be upgradable and the owner cannot be changed.

Recommendations

We recommend to implement zero-address checks in the initialize functions.

Remediation

Zellic © 2025Back to top ↑