Creator could be zero address
Closed this issue · 3 comments
alsldl commented
Severity
High
It affect to token circulation, but also creator's loss.
Vulnerability details
In the initialization, bond.creator
is set as msg.sender
.
function _setBond(address token, BondParams calldata bp) private {
// Set token bond data
Bond storage bond = tokenBond[token];
bond.creator = _msgSender();
...
}
It doesn't matter.
However, MCV2_Bond::updateBondCreator
could set the creator as zero address.
function updateBondCreator(address token, address creator) external {
Bond storage bond = tokenBond[token];
if (bond.creator != _msgSender()) revert MCV2_Bond__PermissionDenied(); // This will also check the existence of the bond
bond.creator = creator;
emit BondCreatorUpdated(token, creator);
}
There was no condition to check for the possibility that new creator could be a zero address.
Recommendation
I recommend following:
- If it is not your intention, which new creator could be set zero address, you have to prevent this situation.
Creator has role which receive specific royalty as fee recipient.
If creator set zero address, royalty is burnt and it affect token’s circulation. - If it is your intention, which new creator could be set zero address, you have to emit event like
renounceCreator
when the creator is set to a zero address.
It is very important. It affect to token’s circulation that creator is zero address or non-zero address.
And it can help to prevent user’s mistake which set the new creator as zero address.
If you want, you can create another functionrecounceCreator
that set the new creator as zero address.
alsldl commented
My ethereum wallet is 0x08204C5d6D3e2D5691AB7F0B56288Fcfd79883fD
. Thx!
0x3agle commented
I suggest you should check the updated code at commit - 9498447
function updateBondCreator(address token, address creator) external {
Bond storage bond = tokenBond[token];
if (bond.creator != _msgSender()) revert MCV2_Bond__PermissionDenied(); // This will also check the existence of the bond
// null address is not allowed, use dEaD address instead
if (creator == address(0)) revert MCV2_Bond__InvalidCreatorAddress();
bond.creator = creator;
emit BondCreatorUpdated(token, creator);
}
alsldl commented
Oh, i didn't know that. Thanks bro.