Omniscia Arcade XYZ Audit

ArcadeItemsVerifier Manual Review Findings

ArcadeItemsVerifier Manual Review Findings

AIV-01M: Incorrect Assumption of Function

Description:

The ArcadeItemsVerifier::verifyPredicates function assumes that an empty predicates array has been addressed in the OriginationController::initializeLoanWithItems and OriginationController::rolloverLoanWithItems functions, however, this is incorrect as the functions ensure that the whole predicate array is not empty, not that the data payload of a predicate call contains non-zero entries.

Impact:

The ArcadeItemsVerifier::verifyPredicates will misbehave if supplied an empty items data entry when called via the OriginationController despite its documentation specifying that no sanitization is needed as it is incorrect.

Example:

contracts/verifiers/ArcadeItemsVerifier.sol
77/**
78 * @notice Verify that the items specified by the packed SignatureItem array are held by the vault.
79 * @dev    Reverts on a malformed SignatureItem, returns false on missing contents.
80 *
81 *         Verification for empty predicates array has been addressed in initializeLoanWithItems and
82 *         rolloverLoanWithItems.
83 *
84 * @param collateralAddress             The address of the loan's collateral.
85 * @param collateralId                  The tokenId of the loan's collateral.
86 * @param predicates                    The calldata needed for the verifier.
87 *
88 * @return verified                     Whether the bundle contains the specified items.
89 */
90// solhint-disable-next-line code-complexity
91function verifyPredicates(
92    address, address,
93    address collateralAddress,
94    uint256 collateralId,
95    bytes calldata predicates
96) external view override returns (bool) {
97    address vault = IVaultFactory(collateralAddress).instanceAt(collateralId);
98

99    // Unpack items
100    SignatureItem[] memory items = abi.decode(predicates, (SignatureItem[]));
101

102    for (uint256 i = 0; i < items.length; i++) {

Recommendation:

We advise the code to properly ensure that the items decoded contain a non-zero length as otherwise the predicate would succeed without validating anything, signifying a potential scam attempt.

Alleviation (7a4e1dc948e94ded7385dbb74818bcf93ecc207c):

A proper if-revert pattern was introduced that ensures the decoded SignatureItem array contains non-zero entries, alleviating this exhibit in full.

Prev

VaultFactory.sol (VFY-S)

Next

ArtBlocksVerifier.sol (ABV-M)

On this page