Omniscia Boson Protocol Audit

GroupBase Manual Review Findings

GroupBase Manual Review Findings

GBE-01M: Insufficient Validation of Conditions

Description:

The GroupBase::validateCondition function insufficiently sanitizes its input Condition. Specifically, it fails to ensure that a tokenId has been specified in the following cases:

  • Threshold + MultiToken: This would also guarantee that a non-zero length has been specified which is a requirement.
  • SpecificToken: In this case, the tokenId must be defined as otherwise no "specific token" will be evaluated.

Impact:

It is presently possible to validate conditions that should otherwise fail and could cause the condition-consumption mechanisms of other Boson Protocol modules to misbehave.

Example:

contracts/protocol/bases/GroupBase.sol
120function validateCondition(Condition calldata _condition) internal pure returns (bool) {
121    bool valid = true;
122    if (_condition.method == EvaluationMethod.None) {
123        valid = (_condition.tokenAddress == address(0) &&
124            _condition.tokenId == 0 &&
125            _condition.threshold == 0 &&
126            _condition.maxCommits == 0 &&
127            _condition.length == 0);
128    } else {
129        if (_condition.tokenId != 0) {
130            valid = _condition.length != 0;
131            valid = valid && type(uint256).max - _condition.length >= _condition.tokenId;
132        }
133

134        if (_condition.method == EvaluationMethod.Threshold) {
135            valid =
136                valid &&
137                (_condition.tokenAddress != address(0) && _condition.maxCommits > 0 && _condition.threshold > 0);
138

139            if (_condition.tokenType != TokenType.MultiToken) {
140                // NonFungibleToken and FungibleToken should not have length and tokenId
141                valid = valid && _condition.length == 0 && _condition.tokenId == 0;
142            }
143        } else {
144            valid =
145                valid &&
146                (_condition.tokenAddress != address(0) &&
147                    _condition.maxCommits > 0 &&
148                    _condition.tokenType != TokenType.FungibleToken); // FungibleToken not allowed for SpecificToken
149

150            // SpecificToken with NonFungibleToken should not have threshold
151            if (_condition.tokenType == TokenType.NonFungibleToken) {
152                valid = valid && _condition.threshold == 0;
153            } else {
154                // SpecificToken with MultiToken should have threshold
155                valid = valid && _condition.threshold > 0;
156            }
157        }
158    }
159

160    return valid;
161}

Recommendation:

We advise the code to properly guarantee that a tokenId has been specified in the aforementioned combination of cases as they comprise improperly defined conditions that should not be validated.

Alleviation (2b9f60b6c3323fd234b570089ceff924cdb5851c):

The Boson Protocol team evaluated this exhibit and stated that a given tokenId of 0 is valid and as such, the recommended course of action cannot be applied.

We concur with this assessment and thus consider this exhibit to be nullified.

Prev

ExchangeHandlerFacet.sol (EHF-M)

Next

PauseHandlerFacet.sol (PHF-M)

On this page