Omniscia Boson Protocol Audit
ConfigHandlerFacet Static Analysis Findings
ConfigHandlerFacet Static Analysis Findings
CHF-01S: Illegible Numeric Value Representations
| Type | Severity | Location |
|---|---|---|
| Code Style |  | ConfigHandlerFacet.sol:L159, L379, L409, L463 |
Description:
The linked representations of numeric literals are sub-optimally represented decreasing the legibility of the codebase.
Example:
159require(_protocolFeePercentage <= 10000, FEE_PERCENTAGE_INVALID);Recommendation:
To properly illustrate each value's purpose, we advise the following guidelines to be followed.
For values meant to depict fractions with a base of 1e18, we advise fractions to be utilized directly (i.e. 1e17 becomes 0.1e18) as they are supported.
For values meant to represent a percentage base, we advise each value to utilize the underscore (_) separator to discern the percentage decimal (i.e. 10000 becomes 100_00, 300 becomes 3_00 and so on).
Finally, for large numeric values we simply advise the underscore character to be utilized again to represent them (i.e. 1000000 becomes 1_000_000).
Alleviation (44009967e4f68092941d841e9e0f5dd2bb31bf0b):
The Boson Protocol team evaluated this exhibit and opted to retain the current representational style in the codebase as they deem an underscore in small numbers such as the value 100_00 as unnecessary. As a result, we consider this exhibit as acknowledged.
CHF-02S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | ConfigHandlerFacet.sol:L76-L79, L95-L98, L114-L117, L133-L136, L490-L500 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
114function setVoucherBeaconAddress(address _voucherBeaconAddress) public override onlyRole(ADMIN) nonReentrant {115 protocolAddresses().voucherBeacon = _voucherBeaconAddress;116 emit VoucherBeaconAddressChanged(_voucherBeaconAddress, msgSender());117}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (44009967e4f68092941d841e9e0f5dd2bb31bf0b):
All referenced instances of address inputs are now properly sanitized against the zero address as advised.