Omniscia Gnosis Guild Audit

Integrity Manual Review Findings

Integrity Manual Review Findings

IYT-01M: Weak Validation of Children Counts

TypeSeverityLocation
Input SanitizationIntegrity.sol:L119-L141

Description:

The referenced for loop within Integrity::_topology does not adequately validate multiple operators as the children count is validated solely for a subset of operators.

Impact:

The code currently permits malformed conditions to be defined that will misbehave.

Example:

packages/evm/contracts/Integrity.sol
119for (uint256 i = 0; i < conditions.length; i++) {
120    ConditionFlat memory condition = conditions[i];
121    if (
122        condition.paramType == ParameterType.Array &&
123        childrenBounds[i].length == 0
124    ) {
125        revert UnsuitableChildrenCount(i);
126    }
127    if (
128        (condition.operator == Operator.ArraySome ||
129            condition.operator == Operator.ArrayEvery) &&
130        childrenBounds[i].length != 1
131    ) {
132        revert UnsuitableChildrenCount(i);
133    }
134

135    if (
136        condition.operator == Operator.ArraySubset &&
137        childrenBounds[i].length > 256
138    ) {
139        revert UnsuitableChildrenCount(i);
140    }
141}

Recommendation:

We advise the referenced code to be expanded, supporting validation of the missing operator types (i.e. EqualToAvatar, Matches, GreaterThan, LessThan, etc.) to ensure that they either have at least one child (i.e. in the case of Matches) or they do not have any children (i.e. in the case of EqualToAvatar).

Alleviation:

The Integrity::_topology function has been renamed to Integrity::_tree and now properly validates the children count of all ParameterType as well as potential operator sub-categories, alleviating this exhibit in full.

IYT-02M: Weak Validation of Comparator Values

TypeSeverityLocation
Input SanitizationIntegrity.sol:L84-L100

Description:

The referenced for loop within Integrity::_topology does not adequately validate multiple operators as the comparator value (compValue) is validated solely for the logical subset of operators.

Impact:

The code currently permits malformed conditions to be defined that will misbehave.

Example:

packages/evm/contracts/Integrity.sol
83// check at least 1 child for Logical
84for (uint256 i = 0; i < conditions.length; i++) {
85    ConditionFlat memory condition = conditions[i];
86    if (
87        (condition.operator >= Operator.And &&
88            condition.operator <= Operator.Xor)
89    ) {
90        // must have no compValue
91        if (condition.compValue.length != 0) {
92            revert UnsuitableCompValue(i);
93        }
94

95        // must have at least one child
96        if (childrenBounds[i].length == 0) {
97            revert UnsuitableChildrenCount(i);
98        }
99    }
100}

Recommendation:

We advise the referenced code to be expanded, supporting validation of the missing operator types (i.e. EqualToAvatar, WithinAllowance etc.) that shouldn't have a comparator value defined as well as operator types like Custom which must have a comparator value defined.

Alleviation:

The compValue entry of a particular condition is no longer validated in Integirty::_topology (now renamed to Integrity::_tree) and has been relocated to the Integrity::_node function. The revised code sanitizes the compValue of a condition based on the exact Operator type, ensuring that the compValue of each condition is either adequately present or absent.

As such, we consider this exhibit fully alleviated.

Prev

Roles.sol (RSE-S)

Next

PermissionChecker.sol (PCR-M)

On this page