Omniscia Boson Protocol Audit
OfferHandlerFacet Manual Review Findings
OfferHandlerFacet Manual Review Findings
OHF-01M: Inexistent Validation of Mutualizer Interface Conformity
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | OfferHandlerFacet.sol:L514 |
Description:
In contrast to the OfferBase::storeOffer function, the OfferHandlerFacet::updateOfferMutualizerInternal function does not validate that the _newMutualizer adheres to the expected mutualizer interface.
Impact:
A non-functional mutualizer can be presently configured in the OfferHandlerFacet::updateOfferMutualizerInternal function.
Example:
contracts/protocol/facets/OfferHandlerFacet.sol
508function updateOfferMutualizerInternal(uint256 _offerId, address _newMutualizer) internal {509 // Make sure the caller is the assistant, offer exists and is not voided510 Offer storage offer = getValidOfferWithSellerCheck(_offerId);511
512 DisputeResolutionTerms storage disputeResolutionTerms = fetchDisputeResolutionTerms(_offerId);513 if (disputeResolutionTerms.mutualizerAddress == _newMutualizer) revert SameMutualizerAddress();514 disputeResolutionTerms.mutualizerAddress = payable(_newMutualizer);515
516 emit OfferMutualizerUpdated(_offerId, offer.sellerId, _newMutualizer, _msgSender());517}Recommendation:
We advise such validation to be imposed, ensuring the updated mutualizer satisfies the expected interface.
Alleviation (efd5d1a8f23c3bca7c25273ea4c912a367250119):
The code was updated to properly validate the mutualizer interface during an update, alleviating this exhibit.