Omniscia Boson Protocol Audit
ProtocolInitializationHandlerFacet Manual Review Findings
ProtocolInitializationHandlerFacet Manual Review Findings
PIH-01M: Inexistent Support of Manual Seller Configuration
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | ProtocolInitializationHandlerFacet.sol:L172-L178 |
Description:
The ProtocolInitializationHandlerFacet::initV2_3_0 function will assign the sellerCreator values of multiple seller IDs to ensure that existing deployed seller IDs remain compatible with the updated system, however, this type of upgrade mechanism can only process a finite number of seller IDs and can become inexecutable in the future.
Impact:
The current v2.3.0 upgrade initialization methodology may become unsustainable as the protocol grows due to the inherent block gas limits that are present on all blockchains.
Example:
172for (uint256 i = 0; i < sellerIds.length; i++) {173 (bool exists, , ) = fetchSeller(sellerIds[i]);174 require(exists, NO_SUCH_SELLER);175 require(sellerCreators[i] != address(0), INVALID_ADDRESS);176
177 lookups.sellerCreator[sellerIds[i]] = sellerCreators[i];178}Recommendation:
We advise the code to instead allow sellerCreator values to be filled in either via administrative action in batches, or by the owner of a particular BosonVoucher instance, either of which we consider an adequate remediation to this exhibit.
Alleviation (2b9f60b6c3323fd234b570089ceff924cdb5851c):
Initialization of seller IDs has been eliminated from the ProtocolInitializationHandlerFacet::initV2_3_0 function as a different methodology of associating sellers with their voucher clones has been employed in the form of seller "salts".
These salts are auto-filled for accounts created before the v2.3.0 deployment of the Boson Protocol, rendering this exhibit alleviated as the unsustainable seller ID-to-creator association is no longer performed in the protocol's initialization.
PIH-02M: Insufficient Sanitization of Minimum Resolution Period
| Type | Severity | Location |
|---|---|---|
| Input Sanitization | | ProtocolInitializationHandlerFacet.sol:L165 |
Description:
The _minResolutionPeriod that is newly specified in the ProtocolInitializationHandlerFacet::initV2_3_0 function is inadequately sanitized as it may be greater than the current maxResolutionPeriod.
Impact:
The contract can presently be misconfigured during its deployment which should be prohibited.
Example:
164// Initialize limits.maxPremintedVouchers (configHandlerFacet initializer)165require(_minResolutionPeriod != 0, VALUE_ZERO_NOT_ALLOWED);166protocolLimits().minResolutionPeriod = _minResolutionPeriod;167emit MinResolutionPeriodChanged(_minResolutionPeriod, msgSender());Recommendation:
We advise the require check to either be expanded or a new one to be introduced ensuring that the value of _minResolutionPeriod is less-than the value of the current protocolLimits().maxResolutionPeriod, preventing misconfiguration of the contract during its initialization.
Alleviation (2b9f60b6c3323fd234b570089ceff924cdb5851c):
The minimum resolution period is adequately sanitized per our recommendation in the ProtocolInitializationHandlerFacet::initV2_3_0 function, alleviating this exhibit.