[SECURITY] Missing Zero-Address Check in updateGovernanceProposer #18142
Description
Summary
The updateGovernanceProposer function in Governance.sol prevents setting the proposer to the governance contract itself but fails to prevent setting it to the zero address.
Severity
MEDIUM - Could permanently disable standard proposal mechanism
Location
- File:
l1-contracts/src/governance/Governance.sol - Function:
updateGovernanceProposer
Description
The function has incomplete validation:
function updateGovernanceProposer(address _governanceProposer) external override(IGovernance) onlySelf {
require(_governanceProposer != address(this), Errors.Governance__GovernanceProposerCannotBeSelf());
// Missing: require(_governanceProposer != address(0), "Cannot set to zero address");
governanceProposer = _governanceProposer;
emit GovernanceProposerUpdated(_governanceProposer);
}Impact
If proposer is set to address(0):
- Standard
propose()function becomes permanently disabled - Only
proposeWithLock()(emergency mechanism) remains functional - Much higher barrier to entry for creating proposals
- Requires another governance proposal to fix (if emergency proposals can pass)
Attack Vector:
- Malicious proposal could intentionally set proposer to zero address
- Accidental misconfiguration during governance update
Recommendation
Add zero-address validation:
function updateGovernanceProposer(address _governanceProposer) external override(IGovernance) onlySelf {
require(_governanceProposer != address(this), Errors.Governance__GovernanceProposerCannotBeSelf());
require(_governanceProposer != address(0), "Proposer cannot be zero address");
governanceProposer = _governanceProposer;
emit GovernanceProposerUpdated(_governanceProposer);
}Additional Context
The function already validates against address(this), showing awareness of invalid addresses. The zero-address check should be added for completeness.