Zero or test address
What it does
Checks whether the zero address is being inputed to a function without validation.
Why is this bad?
Because the private key for the zero address is known, anyone could take ownership of the contract.
Example
#[ink(message)]
pub fn modify_admin(&mut self, admin: AccountId) -> Result<AccountId, Error> {
if self.admin != self.env().caller() {
return Err(Error::NotAuthorized);
}
self.admin = admin;
Ok(self.admin)
}
Use instead:
#[ink(message)]
pub fn modify_admin(&mut self, admin: AccountId) -> Result<AccountId, Error> {
if self.admin != self.env().caller() {
return Err(Error::NotAuthorized);
}
if admin == AccountId::from([0x0; 32]) {
return Err(Error::InvalidAddress);
}
self.admin = admin;
Ok(self.admin)
}
Implementation
The detector's implementation can be found at this link.