Omniscia Boson Protocol Audit
Version 2.3 Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 02a4d2ff04 | July 29th 2023 | e2f3430d82 |
| 2b9f60b6c3 | September 4th 2023 | 0c75f30525 |
| 584e7d054c | September 26th 2023 | f48b701844 |
Audit Overview
We were tasked with performing an audit of the Boson Protocol codebase and in particular the changes introduced between version 2.2.0 and 2.3.0, including the interim 2.2.1 version released.
Over the course of the audit, we identified multiple potential vulnerabilities of significant severity that arise from the introduction of new features without proper consideration of side-effects that they introduce in the old system.
Namely, the major vulnerabilities we identified:
- Cause incorrect consumption of seller handler updates as a result of the new collection-level
BosonVoucherinstances - Result in improper validation of group conditions as a result of the new per-token-ID commit system
- Compromise assets held by the
BosonVouchercontract as a result of the arbitrary-call capability introduced to it that is insufficiently protected - Corrupt the storage space of upgraded
BosonVoucherinstances due to the removal of variables instead of their deprecation
Additionally, we evaluated the security of the full changelog between the 2.2.0 and 2.3.0 versions, including ensuring that the removal of protocol-wide limitations is secure, asserting that the new condition style is properly assimilated in the codebase, assessing the impact of create2-based deployment mechanisms for BosonVoucher instances, and more.
As a result of our evaluation, we were able to pinpoint vulnerabilities that concern these new features as well as potential ways the protocol can enhance itself further in terms of functionality as well as backwards-compatibility, a trait we identified is not present in certain sensitive functions of the protocol.
Given that this is a delta audit, certain findings that have been included in older audit rounds have not been replicated in this audit report for the sake of brevity; all findings included concern newly introduced code as well as affected code of newly introduced functionality.
We advise the Boson Protocol team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Boson Protocol team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Boson Protocol and have identified that certain exhibits have not been adequately dealt with. Specifically, some were partially alleviated while others have had additional information introduced to them and we advise them to be re-visited: SBE-02M, EHF-01M, EHF-02C, BVR-05M, BVR-04M
Post-Audit Conclusion (584e7d054c)
The Boson Protocol assessed the remaining exhibits highlighted above and proceeded to correctly apply the remediation of exhibit EHF-02C while providing supplemental information in the threads of the rest.
We revisited these exhibits and re-evaluated them based on this information, either marking them acknowledged, nullified, or properly alleviated.
No outstanding exhibits remain in the report and all outputs of the audit have been properly consumed by the Boson Protocol team.
Contracts Assessed
| Files in Scope | Repository | Commit(s) |
|---|---|---|
| Address.sol (ASS) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| AccessControl.sol (ACL) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| AccessController.sol (ACR) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| AgentHandlerFacet.sol (AHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| AccountHandlerFacet.sol (AHT) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BuyerBase.sol (BBE) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BosonTypes.sol (BTS) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BundleBase.sol (BBS) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BosonVoucher.sol (BVR) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BosonConstants.sol (BCS) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BeaconClientLib.sol (BCL) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BeaconClientBase.sol (BCB) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BeaconClientProxy.sol (BCP) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BosonClientBeacon.sol (BCN) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BuyerHandlerFacet.sol (BHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| BundleHandlerFacet.sol (BHT) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ClientLib.sol (CLB) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ClientBase.sol (CBE) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ClientProxy.sol (CPY) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ConfigHandlerFacet.sol (CHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ClientExternalAddressesBase.sol (CEA) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| DiamondLib.sol (DLB) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| DisputeBase.sol (DBE) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| DiamondCutFacet.sol (DCF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| DiamondLoupeFacet.sol (DLF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| DisputeHandlerFacet.sol (DHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| DisputeResolverHandlerFacet.sol (DRH) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| EIP712Lib.sol (EIP) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ERC165Facet.sol (ERC) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ExchangeHandlerFacet.sol (EHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| FundsLib.sol (FLB) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| FundsHandlerFacet.sol (FHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| GroupBase.sol (GBE) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| GroupHandlerFacet.sol (GHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| JewelerLib.sol (JLB) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| Math.sol (MHT) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| MetaTransactionsHandlerFacet.sol (MTH) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| OfferBase.sol (OBE) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| OfferHandlerFacet.sol (OHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| OrchestrationHandlerFacet1.sol (OH1) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| OrchestrationHandlerFacet2.sol (OH2) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| Proxy.sol (PYX) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ProtocolLib.sol (PLB) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| PausableBase.sol (PBE) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ProtocolBase.sol (PBS) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ProtocolDiamond.sol (PDD) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| PauseHandlerFacet.sol (PHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ProtocolInitializationHandlerFacet.sol (PIH) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| ReentrancyGuardBase.sol (RGB) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| Strings.sol (SSG) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| SafeERC20.sol (SER) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| SellerBase.sol (SBE) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| SellerHandlerFacet.sol (SHF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| TwinBase.sol (TBE) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
| TwinHandlerFacet.sol (THF) | boson-protocol-contracts | 02a4d2ff04, 2b9f60b6c3, 584e7d054c |
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 3 | 3 | 0 | 0 |
 | 14 | 12 | 0 | 2 |
 | 6 | 5 | 0 | 1 |
 | 5 | 4 | 0 | 1 |
 | 4 | 4 | 0 | 0 |
During the audit, we filtered and validated a total of 2 findings utilizing static analysis tools as well as identified a total of 30 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: