BosonVoucher Manual Review Findings

BVR-01M: Inexistent Prevention of Self-Transfer

Type	Severity	Location
Logical Fault		BosonVoucher.sol:L143

Description:

The _beforeTokenTransfer hook executes sensitive onVoucherTransferred functionality that should be solely executed when dealing with different from and to addresses.

Example:

Copy
137function _beforeTokenTransfer(
138    address from,
139    address to,
140    uint256 tokenId
141) internal override {
142    // Only act when transferring, not minting or burning
143    if (from != address(0) && to != address(0)) {
144        onVoucherTransferred(tokenId, payable(to));
145    }
146}

Recommendation:

We advise the if conditional to additionally validate that from is not equal to to, preventing self-transfers from executing the onVoucherTransferred hooks and affecting future functionality of the protocol.

Alleviation (44009967e4f68092941d841e9e0f5dd2bb31bf0b):

An additional check preventing the execution of onVoucherTransferred when from is equal to to was included in the codebase thus alleviating this exhibit in full.