Omniscia Tangible Audit
CurrencyFeedV2 Static Analysis Findings
CurrencyFeedV2 Static Analysis Findings
CFV-01S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | CurrencyFeedV2.sol:L86-L93, L100-L107 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
contracts/helpers/CurrencyFeedV2.sol
86function setCurrencyFeed(87 string calldata _currency,88 AggregatorV3Interface _priceFeed89) external onlyFactoryOwner {90 currencyPriceFeeds[_currency] = _priceFeed;91 // set for iso92 currencyPriceFeedsISONum[ISOcurrencyCodeToNum[_currency]] = _priceFeed;93}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (1f394a00cc2ed1dc2020a9c07f982cff9029077d):
The Tangible team evaluated this exhibit and has opted to retain the capability of setting the zero-address for a currencyPriceFeeds entry in case they wish to disable a particular feed.
As a result, we consider the exhibit to concern desirable behaviour and thus to be invalidated.