FailedBuybackToFoldFacetStorage Manual Review Findings

FBF-01M: Potentially Unconfigured Restriction

Type	Severity	Location
Logical Fault		FailedBuybackToFoldFacetStorage.sol:L60-L61

Description:

The FailedBuybackToFoldFacetStorage::triggerFailedBuyback function will evaluate the buyback restrictions of the DurationBuybackTimeFacet::getBuybackTimes function and will do so incorrectly as it evaluates the endingTimestamp which may be 0 for an unconfigured campaign's buyback.

Impact:

A campaign with an uninitialized buyback period and a reachable buybackState outside the buyback period's configuration will be able to advance to the destinationState even though a buyback period may not have been configured.

Example:

Copy
56function triggerFailedBuyback(Layout storage l, uint256 campaignId) internal {
57    if (l.buybackState != StateFacetStorage.layout().stateOfId[campaignId]) {
58        revert NonBuybackState(l.buybackState, StateFacetStorage.layout().stateOfId[campaignId]);
59    }
60    (, uint256 endingTimestamp) = IBuybackTimeFacet(address(this)).getBuybackTimes(campaignId);
61    if (block.timestamp <= endingTimestamp) revert InvalidFailedBuyback();
62
63    StateFacetStorage.layout().changeState(campaignId, l.buybackState, l.destinationState);
64}

Recommendation:

We advise the system to properly ensure that an endingTimestamp has been defined (i.e. is non-zero), preventing a failed buyback from being considered as having taken place in an uninitialized buyback period.

Alleviation (71cda4ccfdcfa25fb96a4565f1f8143b350dd246):

The code properly ensures that an endingTimestamp has been configured for the relevant campaign, properly validating that the buyback period has been defined.