Omniscia Evergon Labs Audit
PurchaseToReceiveRoleApprovalFacetStorage Manual Review Findings
PurchaseToReceiveRoleApprovalFacetStorage Manual Review Findings
PTA-01M: Potentially Unconfigured Restriction
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | PurchaseToReceiveRoleApprovalFacetStorage.sol:L93-L94 |
Description:
The PurchaseToReceiveRoleApprovalFacetStorage::approvePurchaseComplete function will mandate that the purchase phase has ended, however, it does not validate that it was configured in the first place.
Impact:
A campaign with an undefined purchase phase and a state equal to the interferenceState will be able to be advanced as if the purchase has been completed.
Example:
packages/contracts/contracts/skeletonFacets/connectors/purchaseToReceiveConnectors/purchaseToReceiveRoleApproval/PurchaseToReceiveRoleApprovalFacetStorage.sol
92// Check if purchase phase has ended.93(, uint256 endingTimestamp) = IPurchaseTimeFacet(address(this)).getPurchaseTimes(campaignId);94if (endingTimestamp >= block.timestamp) revert PurchasePhaseNotFinished();Recommendation:
We advise the system to ensure that the purchase phase has been explicitly configured by ensuring that the endingTimestamp is non-zero, preventing an uninitialized purchase phase to be considered as having elapsed.
Alleviation (71cda4ccfdcfa25fb96a4565f1f8143b350dd246):
The code properly ensures that an endingTimestamp has been configured for the relevant campaign, properly validating that the purchase phase has been defined.