Creator could be zero address

Question

Creator could be zero address

Closed this issue 10 months ago · 3 comments

Severity

High
It affect to token circulation, but also creator's loss.

Vulnerability details

In the initialization, bond.creator is set as msg.sender.

function _setBond(address token, BondParams calldata bp) private {
        // Set token bond data
        Bond storage bond = tokenBond[token];
        bond.creator = _msgSender();
...
}

It doesn't matter.

However, MCV2_Bond::updateBondCreator could set the creator as zero address.

function updateBondCreator(address token, address creator) external {
    Bond storage bond = tokenBond[token];
    if (bond.creator != _msgSender()) revert MCV2_Bond__PermissionDenied(); // This will also check the existence of the bond

    bond.creator = creator;

    emit BondCreatorUpdated(token, creator);
}

There was no condition to check for the possibility that new creator could be a zero address.

Recommendation

I recommend following:

If it is not your intention, which new creator could be set zero address, you have to prevent this situation.
Creator has role which receive specific royalty as fee recipient.
If creator set zero address, royalty is burnt and it affect token’s circulation.
If it is your intention, which new creator could be set zero address, you have to emit event like renounceCreator when the creator is set to a zero address.
It is very important. It affect to token’s circulation that creator is zero address or non-zero address.
And it can help to prevent user’s mistake which set the new creator as zero address.
If you want, you can create another function recounceCreator that set the new creator as zero address.

Answer 1 · 2023-12-11T15:05:10.000Z

My ethereum wallet is 0x08204C5d6D3e2D5691AB7F0B56288Fcfd79883fD. Thx!

Answer 2 · 2023-12-11T15:13:44.000Z

I suggest you should check the updated code at commit - 9498447

    function updateBondCreator(address token, address creator) external {
        Bond storage bond = tokenBond[token];
        if (bond.creator != _msgSender()) revert MCV2_Bond__PermissionDenied(); // This will also check the existence of the bond

        // null address is not allowed, use dEaD address instead
        if (creator == address(0)) revert MCV2_Bond__InvalidCreatorAddress();
        bond.creator = creator;

        emit BondCreatorUpdated(token, creator);
    }

Answer 3 · 2023-12-11T15:14:51.000Z

Oh, i didn't know that. Thanks bro.