Omniscia Boson Protocol Audit
BundleBase Manual Review Findings
BundleBase Manual Review Findings
BBS-01M: Removal of Bundle Limitations
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | BundleBase.sol:L48-L54 |
Description:
The protocol-level limitations for the BundleBase::createBundleInternal function have been removed whereas they should remain per the discussions of the Boson Protocol team in the relevant PR#675 due to the valid concerns raised in the referenced thread.
Namely, a significantly high number of twinIds per bundle can cause the transfer of twins to reach the block gas limit and thus cause a Denial-of-Service attack rendering a voucher unredeemable.
Impact:
The current BundleBase::createBundleInternal function will permit the creation of a bundle that can result in a Denial-of-Service attack when redeeming a voucher associated with the bundle.
Example:
36function createBundleInternal(Bundle memory _bundle) internal {37 // Cache protocol lookups and limits for reference38 ProtocolLib.ProtocolLookups storage lookups = protocolLookups();39
40 // get message sender41 address sender = msgSender();42
43 // get seller id, make sure it exists and store it to incoming struct44 (bool exists, uint256 sellerId) = getSellerIdByAssistant(sender);45 require(exists, NOT_ASSISTANT);46
47 // validate that offer ids and twin ids are not empty48 require(49 _bundle.offerIds.length > 0 && _bundle.twinIds.length > 0,50 BUNDLE_REQUIRES_AT_LEAST_ONE_TWIN_AND_ONE_OFFER51 );52
53 // Get the next bundle and increment the counter54 uint256 bundleId = protocolCounters().nextBundleId++;Recommendation:
We advise these limitations to be re-imposed, ensuring that the protocol's functions cannot be maliciously invoked to create an unredeemable voucher.
Alleviation (2b9f60b6c3323fd234b570089ceff924cdb5851c):
The Boson Protocol team evaluated this exhibit and maintained that a hard-limit on the total twin IDs attached to a bundle is no longer needed as the code will mark a twin transfer as failed when the code is approaching its gas limit.
We would like to denote that it may still be possible to perform a denial-of-service attack with an abnormally high amount of twin IDs as the gas required to evaluate the normal statements of the loop can consume the MINIMAL_RESIDUAL_GAS. In any case, we consider this exhibit to be nullified as the original denial-of-service described is unfeasible.