Innocent Turquoise Barracuda
Medium
Implementation Contract Initialization Vulnerability (Root Cause: Lack of Zero Address Validation + Impact: Irreversible Configuration)
In the constructor of DBOFactory, the address of the implementationContract is set without validating whether it is
a valid non-zero address. This design flaw means that if an invalid or zero address is accidentally assigned, the
contract has no mechanism to update or replace this value. This is problematic as the contract lacks a failsafe for
critical misconfigurations, leading to potential contract malfunctions or the inability to deploy new borrow orders
through implementationContract.
Without a validation mechanism, the contract lacks a failsafe for correcting such errors, which can lead to irreversible issues if an incorrect address is assigned.
No response
No response
Address would always be what was set and if address(0) then it cant changed
Having unused variables, especially ones set in the constructor, can cause confusion for future developers or auditors, who might assume it has functionality within the contract. Additionally, this variable could increase gas costs if stored without purpose
The constructor does not validate the _implementationContract parameter. Here’s the relevant snippet:
constructor(address _implementationContract) {
owner = msg.sender;
implementationContract = _implementationContract; // No check for address(0)
}If _implementationContract is passed as address(0), there is no way to reset or correct this, and all attempts to
create borrow orders will fail or behave unpredictably.
In the constructor, validate that the _implementationContract is a non-zero address:
constructor(address _implementationContract) {
require(_implementationContract != address(0), "Invalid implementation address");
owner = msg.sender;
implementationContract = _implementationContract;
}This check will prevent the contract from being misconfigured with an invalid implementationContract, ensuring future
borrow orders can be created correctly.