Like other similar functions, Curve.transfer and Orchestrator.includeAsset perform zero-address checks.
However, Curve.transferOwnership and the Router constructor do not.
This may make sense for Curve.transferOwnership, because without zero-address checks, the function may serve as a means of burning ownership.
However, popular contracts that define similar functions often consider this case, such as OpenZeppelin's Ownable contracts.
Conversely, a zero-address check should be added to the Router constructor to prevent the deployment of an invalid Router, which would revert upon a call to the zero address.
Short term, consider adding zero-address checks to the Router's constructor and Curve's transferOwnership function to prevent operator errors.
Long term, review state variables which referencing contracts to ensure that the code that sets the state variables performs zero-address checks where necessary
- ToB Audit DFX Finance Finding 4
- Data Validation
- Missing Checks Zero-address
- Add Checks
- Best-practice