Omniscia Boson Protocol Audit
OfferBase Manual Review Findings
OfferBase Manual Review Findings
OBE-01M: Inexistent Validation of Proper Voucher Redemption Setup
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | OfferBase.sol:L123-L127 |
Description:
The voucherRedeemableFrom and voucherRedeemableUntil values can be one unit in difference and the voucherRedeemableUntil can be equal to validUntil in which cases the redemption window is inadequate and inoperable (i.e. a purchase made at validUntil will have no time to be redeemed as well as a window of 1 second will not be usable).
Impact:
An improperly set-up voucher system could allow vouchers to be purchased that ultimately will not be redeemable and thus cause automatic forfeiture of funds for the buyers improperly.
Example:
123if (_offerDates.voucherRedeemableUntil > 0) {124 require(_offerDurations.voucherValid == 0, AMBIGUOUS_VOUCHER_EXPIRY);125 require(_offerDates.voucherRedeemableFrom < _offerDates.voucherRedeemableUntil, REDEMPTION_PERIOD_INVALID);126 require(_offerDates.voucherRedeemableUntil >= _offerDates.validUntil, REDEMPTION_PERIOD_INVALID);127} else {Recommendation:
We advise proper validation to be imposed on the voucher redemption system by setting a group of "minimum" values that act as a "grace period" for voucher redemption ensuring that redemptions can be timely executed.
Alleviation (44009967e4f68092941d841e9e0f5dd2bb31bf0b):
After evaluation of the exhibit, the Boson Protocol team decided to retain the current code in place and to not introduce any validation checks as the wish to ensure all partners and integrators are not significantly impacted functionally and plan to potentially remediate in a post-v2 upgrade. As a result, we consider this exhibit acknowledged.