[Audit Fix] Wrong logic check in `ElasticDAO.initialize`

Question

[Audit Fix] Wrong logic check in `ElasticDAO.initialize`

Closed this issue 4 years ago · 0 comments

Summary

The ElasticDAO.initialize function has a check which passes when only one of _ecosystemModelAddress or _controller is non-zero.
The intention was probably to check that both are non-zero.

Risk Rating

2

Vulnerability Details

The ElasticDAO.initialize performs this check which passes when only one of _ecosystemModelAddress or _controller is non-zero.

require(
  _ecosystemModelAddress != address(0) || _controller != address(0),
  'ElasticDAO: Address Zero'
);

Impact

The initialize function can be called with the wrong parameters which break further functionality.
For example, the controller could be the zero address and the DAO is unable to change this parameter again.
The only option is to redeploy everything.

Proof of Concept

Tools Used

Recommended Mitigation Steps

Use a logical and instead of an or:

require(
  _ecosystemModelAddress != address(0) && _controller != address(0),
  'ElasticDAO: Address Zero'
);

Definition of Done

Change || to && in ElasticDAO.initialize address zero check
test proving that neither can be address(0)