Abundant Lace Mammoth
High
Assignment of Comptroller and Controller to Zero Address leads to Permanent Loss of Fee Claiming Functionality
If the comptroller and coordinator are set to address zero it will effectively lock out all users from claiming fees as the zero address is not a valid account. This means that no one will be able to claim fees anymore rendering the contract functionality useless
The contract allows the comptroller and coordinator function role to be assigned to the zero address rendering the claimFee function inaccessible and locking out all users from claiming fees.
Setting the comptroller and controller to zero address will cause the contract to stop working properly resulting in lost of money and functionality.
Manual Review
Recommendation 1: Add address zero check in setComptroller function
To prevent the comptroller from being set to the zero address add a require statement to check that the new address is not zero:
function setComptroller(address comptroller_) external onlyOwner { require(comptroller_ != address(0), "Comptroller cannot be zero address"); comptroller = comptroller_; emit ComptrollerSet(comptroller_); }
Recommendation 2: Add address zero check in setCoordinator function
Similarly add a require statement to check that the new coordinator address is not zero:
function setCoordinator(address coordinator_) external onlyOwner { require(coordinator_ != address(0), "Coordinator cannot be zero address"); coordinator = coordinator_; emit CoordinatorSet(coordinator_); }
These checks ensure that the comptroller and coordinator roles cannot be assigned to the zero address preventing potential contract dysfunction.