Omniscia Arcade XYZ Audit
ArcadeItemsVerifier Manual Review Findings
ArcadeItemsVerifier Manual Review Findings
AIV-01M: Incorrect Assumption of Function
| Type | Severity | Location |
|---|---|---|
| Logical Fault | ![]() | ArcadeItemsVerifier.sol:L81-L82 |
Description:
The ArcadeItemsVerifier::verifyPredicates function assumes that an empty predicates array has been addressed in the OriginationController::initializeLoanWithItems and OriginationController::rolloverLoanWithItems functions, however, this is incorrect as the functions ensure that the whole predicate array is not empty, not that the data payload of a predicate call contains non-zero entries.
Impact:
The ArcadeItemsVerifier::verifyPredicates will misbehave if supplied an empty items data entry when called via the OriginationController despite its documentation specifying that no sanitization is needed as it is incorrect.
Example:
77/**78 * @notice Verify that the items specified by the packed SignatureItem array are held by the vault.79 * @dev Reverts on a malformed SignatureItem, returns false on missing contents.80 *81 * Verification for empty predicates array has been addressed in initializeLoanWithItems and82 * rolloverLoanWithItems.83 *84 * @param collateralAddress The address of the loan's collateral.85 * @param collateralId The tokenId of the loan's collateral.86 * @param predicates The calldata needed for the verifier.87 *88 * @return verified Whether the bundle contains the specified items.89 */90// solhint-disable-next-line code-complexity91function verifyPredicates(92 address, address,93 address collateralAddress,94 uint256 collateralId,95 bytes calldata predicates96) external view override returns (bool) {97 address vault = IVaultFactory(collateralAddress).instanceAt(collateralId);98
99 // Unpack items100 SignatureItem[] memory items = abi.decode(predicates, (SignatureItem[]));101
102 for (uint256 i = 0; i < items.length; i++) {Recommendation:
We advise the code to properly ensure that the items decoded contain a non-zero length as otherwise the predicate would succeed without validating anything, signifying a potential scam attempt.
Alleviation (7a4e1dc948e94ded7385dbb74818bcf93ecc207c):
A proper if-revert pattern was introduced that ensures the decoded SignatureItem array contains non-zero entries, alleviating this exhibit in full.
