Omniscia Boson Protocol Audit
Version 2.5.0 Security Audit
Audit Report Revisions
| Commit Hash | Date | Audit Report Hash |
|---|---|---|
| 6a14c31bea | September 23rd 2025 | ecbf71fe88 |
| efd5d1a8f2 | October 9th 2025 | 7b00478e71 |
| 73585830fd | October 10th 2025 | 7f9dab9c39 |
| 73585830fd | October 13th 2025 | c5875fde65 |
Audit Overview
We were tasked with performing an audit of the Boson Protocol codebase and in particular the delta involved in their BPIP-8, BPIP-9, and BPIP-10 implementations.
BPIP-8 has introduced the concept of a mutualizer for dispute resolutions fees, permitting sellers to pay a premium to be covered by a dispute resolution fee mutualizer as a form of service.
BPIP-9 revolves around the introduction of buyer-initiated offers, ensuring that offer creations can occur by both sellers and buyers through slight refactors of the overall offer flows.
Finally, BPIP-10 relates to the introduction of off-chain offer agreements, permitting the offer to be created and executed in a single transaction through off-chain signatures.
Beyond the changes involved for the aforementioned Boson Protocol improvement proposals, we noticed that there have been several other slight refactors to the codebase.
Namely:
- Signature verification introduced EIP-1271 support
- Optimizations in group validations
- Re-purposing of
FundsLibfrom a library to a contractFundsBase - Meta-transactions simplified through address appendation
Over the course of the audit, we identified vulnerabilities mostly around BPIP-8 with the changes involved in BPIP-9 and BPIP-10 being relatively straightforward.
In detail, we were able to identify a re-entrancy attack that breaches the security assumptions of a previously-deemed-safe function in ExchangeCommitFacet as well as a Denial-of-Service attack for fund releases through seller-defined mutualizers.
We advise the Boson Protocol team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Boson Protocol team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.
We evaluated all alleviations performed by Boson Protocol and have identified that a particular exhibit has not been adequately dealt with. We advise the Boson Protocol team to revisit the following exhibit: FBE-02M
Post-Audit Conclusion (73585830fd)
The Boson Protocol team evaluated the final exhibit's addendum and proceeded with alleviating it fully.
We consider all outputs of the audit report properly consumed by the Boson Protocol team with no outstanding remediative actions remaining.
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 12 | 9 | 0 | 3 |
 | 5 | 5 | 0 | 0 |
 | 0 | 0 | 0 | 0 |
 | 2 | 2 | 0 | 0 |
During the audit, we filtered and validated a total of 2 findings utilizing static analysis tools as well as identified a total of 17 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.
Total Alleviations
The list below covers each segment of the audit in depth and links to the respective chapter of the report: