Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of validation for Ethereum addresses [code-improvement] #22

Closed
0xM3R opened this issue Dec 16, 2024 · 0 comments · Fixed by #28 or #6
Closed

Lack of validation for Ethereum addresses [code-improvement] #22

0xM3R opened this issue Dec 16, 2024 · 0 comments · Fixed by #28 or #6
Assignees
@fadeev
Labels
Security

Comments

@0xM3R
Copy link

0xM3R commented Dec 16, 2024

File: universalSetConnected.ts
Issue: Lack of validation for Ethereum addresses in args.zrc20 and args.connected.

Analysis

The vulnerable implementation is as follows:

const tx = await contract.setConnected(args.zrc20, args.connected);
  • Unvalidated Input: The addresses are used without verification.

How It Can Be Harmful

  • Invalid Inputs: Using unvalidated addresses can lead to transaction failures or unintended contract behavior.

How to Mitigate the Issue

1. Validate Ethereum Addresses: Ensure the addresses are valid before use.

import { isAddress } from "ethers/lib/utils";

if (!isAddress(args.zrc20) || !isAddress(args.connected)) {
    throw new Error("Invalid Ethereum address provided.");
}

References

  • Improper Input Validation in Smart Contracts
    Discusses the risks of inadequate input validation in smart contracts.
    Metana Blog
  • CVE-2024-32649
    Highlights vulnerabilities due to improper input validation in smart contracts.
    CVE Details
@0xM3R 0xM3R added the Security label Dec 16, 2024
@0xM3R 0xM3R transferred this issue from another repository Dec 17, 2024
@0xM3R 0xM3R transferred this issue from zeta-chain/smart-contract-vulns Dec 17, 2024
This was linked to pull requests Dec 18, 2024
fix: address validation #28
Merged
feat: NFT and FT upgradeable using OpenZeppelin's UUPS #6
Merged
@fadeev fadeev closed this as completed in #6 Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fadeev fadeev

Labels
Security
Projects
None yet
Milestone
No milestone
2 participants
@fadeev @0xM3R