Omniscia Boson Protocol Audit

x402 Payment Support Security Audit

Audit Report Revisions

Commit HashDateAudit Report Hash
858661679cMay 18th 202620275b528a
8fccc27160May 31st 202669affebd1c
aa4ed0861eJune 3rd 20265ae50aa72a

Audit Overview

We were tasked with performing an audit of the Boson Protocol codebase and in particular their x402 payment support changes implementing BPIP-12 and BPIP-13.

Over the course of the audit, we identified a single potential issue w/ regard to permit compatibility of the DAI token that is actively used in the protocol as well as several informational issues regarding BPIP inconsistencies and potential gas optimizations.

Additionally, the significant refactoring of ExchangeCommitFacet and ExchangeHandlerFacet into the new ExchangeCommitBase and ExchangeRedeemBase base contracts resulted in a substantial loss of inline comments that previously documented the intent, invariants, and edge-case reasoning behind the commit and redeem logic. These comments should be re-introduced into the new base contracts to preserve the codebase's auditability and to assist future contributors in understanding the implementation's design decisions.

We advise the Boson Protocol team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.

Post-Audit Conclusion

The Boson Protocol team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.

We evaluated all alleviations performed by Boson Protocol and confirmed that all findings have been properly alleviated or safely acknowledged.

During our confirmation of TTA-02M, we identified a new exhibit which can be visited via the following finding ID: TTA-02C

Post-Audit Conclusion (aa4ed0861e)

The Boson Protocol team proceeded with addressing TTA-02C at the BPIP repository by updating its definition to properly illustrate DAI-like approval support.

Subsequent to our review, an independent security researcher disclosed a vulnerability in the offer create-and-commit flow introduced in v2.5.0 (BPIP-10 / PR#1036). A crafted offer, combined with attacker-controlled seller and buyer accounts, could pull ERC-20 funds from any address holding a standing token approval to the Boson Protocol contract.

We reviewed this disclosure, confirmed it is valid, and traced it to the v2.5.0 changes, where it had persisted into the current codebase. The defect was state-dependent: offer-creator authentication was enforced when an offer was first created but not when an already-existing offer was committed again.

The Boson Protocol team remediated the issue in a private fork by enforcing the offer-creator (seller and buyer) validation on every commit, including when the offer already exists (i.e. the offer ID is non-zero).

We evaluated the remediation and consider it to fully address the vulnerability.

Audit Synopsis

SeverityIdentifiedAlleviatedPartially AlleviatedAcknowledged
0000
141301
1100
0000
0000

During the audit, we filtered and validated a total of 0 findings utilizing static analysis tools as well as identified a total of 15 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.

Total Alleviations

The list below covers each segment of the audit in depth and links to the respective chapter of the report: