From d4d21a94b65239e10cde1280b8084da22242e056 Mon Sep 17 00:00:00 2001
From: AMATH <116212274+amathxbt@users.noreply.github.com>
Date: Sun, 3 May 2026 03:19:39 -0700
Subject: [PATCH] fix: reject zero address in deployConfidentialERC20
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

dployConfidentialERC20 is permissionlessly callable by anyone. Without a
zero-address check, a caller can pass address(0) as the ERC20 token,
which successfully deploys a ConfidentialERC20 proxy (ConfidentialERC20
.initialize only checks that the token is not itself an FHERC20) and
registers the mapping entry address(0) → proxy. This permanently
occupies the zero-address slot in EnumerableMap and can never be
removed, and any future code that checks whether address(0) has a
confidential wrapper would receive a non-zero result, causing silent
misbehaviour. Add a revert with the new InvalidERC20 error.
---
 packages/hardhat/contracts/RedactCore.sol | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/packages/hardhat/contracts/RedactCore.sol b/packages/hardhat/contracts/RedactCore.sol
index 2b3c501..083172c 100644
--- a/packages/hardhat/contracts/RedactCore.sol
+++ b/packages/hardhat/contracts/RedactCore.sol
@@ -37,6 +37,7 @@ contract RedactCore is Ownable2Step {
     error InvalidWETH();
     error InvalidEETH();
     error InvalidImplementation();
+    error InvalidERC20();
 
     constructor(
         IWETH wETH_,
@@ -92,6 +93,7 @@ contract RedactCore is Ownable2Step {
      * Reverts if a wrapper already exists or if `erc20` is WETH (use {eETH} instead).
      */
     function deployConfidentialERC20(IERC20 erc20) public returns (address) {
+        if (address(erc20) == address(0)) revert InvalidERC20();
         if (address(erc20) == address(wETH)) revert InvalidWETH();
         if (_confidentialERC20Map.contains(address(erc20))) revert AlreadyDeployed();