Omniscia Arcade XYZ Audit
PromissoryNote Static Analysis Findings
PromissoryNote Static Analysis Findings
PNE-01S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | PromissoryNote.sol:L82-L104, L113-L120 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
contracts/PromissoryNote.sol
82constructor(83 string memory name,84 string memory symbol,85 address _descriptor86) ERC721(name, symbol) ERC721Permit(name) {87 if (_descriptor == address(0)) revert PN_ZeroAddress("descriptor");88
89 descriptor = INFTDescriptor(_descriptor);90
91 _setupRole(ADMIN_ROLE, msg.sender);92 _setupRole(RESOURCE_MANAGER_ROLE, msg.sender);93
94 // Allow admin to set mint/burn role, which they will do95 // during initialize. After initialize, admin role is96 // permanently revoked, so mint/burn role becomes immutable97 // and initialize cannot be called again.98 // Do not set role admin for admin role.99 _setRoleAdmin(MINT_BURN_ROLE, ADMIN_ROLE);100 _setRoleAdmin(RESOURCE_MANAGER_ROLE, RESOURCE_MANAGER_ROLE);101
102 // We don't want token IDs of 0103 _tokenIdTracker.increment();104}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (7a4e1dc948e94ded7385dbb74818bcf93ecc207c):
The exhibit has been amended to only contain one referenced instance instead of two as the first one was incorrect.
The second remains in the codebase unaddressed and as such, we consider this exhibit acknowledged.