Omniscia Boson Protocol Audit
ConfigHandlerFacet Manual Review Findings
ConfigHandlerFacet Manual Review Findings
CHF-01M: Inexistent Validation of Proper Resolution Period Configuration
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | ConfigHandlerFacet.sol:L427-L433, L455-L461 |
Description:
The ConfigHandlerFacet::setMinResolutionPeriod and ConfigHandlerFacet::setMaxResolutionPeriod functions do not properly sanitize their input arguments as conforming to their counterpart maxResolutionPeriod and minResolutionPeriod respectively.
Impact:
It is presently possible to misconfigure the resolution period range of the protocol limits which is an undesirable trait of the ConfigHandlerFacet contract.
Example:
416/**417 * @notice Sets the minimum resolution period a seller can specify.418 *419 * Emits a MinResolutionPeriodChanged event.420 *421 * Reverts if _minResolutionPeriod is zero.422 *423 * @dev Caller must have ADMIN role.424 *425 * @param _minResolutionPeriod - the minimum resolution period that a {BosonTypes.Seller} can specify426 */427function setMinResolutionPeriod(uint256 _minResolutionPeriod) public override onlyRole(ADMIN) nonReentrant {428 // Make sure _maxResolutionPeriod is greater than 0429 checkNonZero(_minResolutionPeriod);430
431 protocolLimits().minResolutionPeriod = _minResolutionPeriod;432 emit MinResolutionPeriodChanged(_minResolutionPeriod, msgSender());433}434
435/**436 * @notice Gets the minimum resolution period a seller can specify.437 *438 * @return the minimum resolution period that a {BosonTypes.Seller} can specify439 */440function getMinResolutionPeriod() external view override returns (uint256) {441 return protocolLimits().minResolutionPeriod;442}443
444/**445 * @notice Sets the maximum resolution period a seller can specify.446 *447 * Emits a MaxResolutionPeriodChanged event if successful.448 *449 * Reverts if the _maxResolutionPeriod is zero.450 *451 * @dev Caller must have ADMIN role.452 *453 * @param _maxResolutionPeriod - the maximum resolution period that a {BosonTypes.Seller} can specify454 */455function setMaxResolutionPeriod(uint256 _maxResolutionPeriod) public override onlyRole(ADMIN) nonReentrant {456 // Make sure _maxResolutionPeriod is greater than 0457 checkNonZero(_maxResolutionPeriod);458
459 protocolLimits().maxResolutionPeriod = _maxResolutionPeriod;460 emit MaxResolutionPeriodChanged(_maxResolutionPeriod, msgSender());461}Recommendation:
We advise each function to ensure that the value is greater-than or less-than its counterpart, guaranteeing that the minResolutionPeriod and maxResolutionPeriod values of protocolLimits() yield a correctly defined range of values.
Alleviation (2b9f60b6c3323fd234b570089ceff924cdb5851c):
Both functions have been updated to ensure the minimum and maximum resolution period limitations define a valid range of values, alleviating this exhibit.