search

sherlock-audit / 2024-06-boost-aa-wallet-judging

3 stars 1 forks source link

ParthMandale - `Boostcore::createBoost` in a certain case would lead to the creation of "junk boosts" whereas it should have reverted in that case. #439

Open sherlock-admin4 opened 2 months ago

sherlock-admin4 commented 2 months ago

ParthMandale

High

Boostcore::createBoost in a certain case would lead to the creation of "junk boosts" whereas it should have reverted in that case.

Summary

Boostcore::createBoost in a certain case would lead to the creation of "junk boosts" whereas it should have reverted in that case.

Vulnerability Detail

When owner wants to create a new boost he will execute function createBoost -

    function createBoost(bytes calldata data_)
        external
        canCreateBoost(msg.sender)
        nonReentrant
        returns (BoostLib.Boost memory)
    {
        InitPayload memory payload_ = abi.decode(data_.cdDecompress(), (InitPayload));

        // Validate the Budget
        _checkBudget(payload_.budget);

        // Initialize the Boost
        BoostLib.Boost storage boost = _boosts.push();
        boost.owner = payload_.owner;
        boost.budget = payload_.budget;
        boost.protocolFee = protocolFee + payload_.protocolFee;
        boost.referralFee = referralFee + payload_.referralFee;
        boost.maxParticipants = payload_.maxParticipants;

        // Setup the Boost components
        boost.action = AAction(_makeTarget(type(AAction).interfaceId, payload_.action, true));
        boost.allowList = AAllowList(_makeTarget(type(AAllowList).interfaceId, payload_.allowList, true));
@>        boost.incentives = _makeIncentives(payload_.incentives, payload_.budget);
        boost.validator = AValidator(
            payload_.validator.instance == address(0)
                ? boost.action.supportsInterface(type(AValidator).interfaceId) ? 
@>                address(boost.action) : address(0)
                : _makeTarget(type(AValidator).interfaceId, payload_.validator, true)
        );
        emit BoostCreated(
            _boosts.length - 1,
            boost.owner,
            address(boost.action),
            boost.incentives.length,
            address(boost.validator),
            address(boost.allowList),
            address(boost.budget)
        );
        return boost;
    }

Here in this function, the main issue leading to the creation of "junk boosts" will occur while setting the validator contract address for the boost. Let's examine it:

        boost.validator = AValidator(
            payload_.validator.instance == address(0)
                ? boost.action.supportsInterface(type(AValidator).interfaceId) ? address(boost.action) : address(0)
                : _makeTarget(type(AValidator).interfaceId, payload_.validator, true)
        );

Ternary Operator Breakdown: The following logic uses nested ternary operators (condition ? value_if_true : value_if_false) to decide the value.

If true (address is 0): It proceeds to the INNER ternary:

boost.action.supportsInterface(type(AValidator).interfaceId)
    ? address(boost.action)
    : address(0)

Condition: boost.action.supportsInterface(type(AValidator).interfaceId)

boost.action.supportsInterface(...) checks if the object boost.action supports the interface identified by AValidator. type(AValidator).interfaceId: This retrieves the interface ID (a bytes4 value) of the AValidator interface, used in interface detection. If true: address(boost.action) is returned, meaning boost.validator will be set to the address of boost.action.

ISSUE HERE - If false: address(0) is returned, meaning boost.validator will be set to the zero address (no validator).

A boost, is not possible to work without the validator contract as it helps in validating the user specific "action". Therefore the Boostcore::createBoost will be successful in creating a boost that does not have any validator contract. This boost will be of no use and no one will use it due to not having proper validator contract. Leading this to creating a "Junk Boosts"

Impact

A boost, it is not possible to work without the validator contract as it helps in validating the user specific "action". Therefore the Boostcore::createBoost will be successful in creating a boost that does not have any validator contract. This boost will be of no use and no one will use it due to not having a proper validator contract. Leading this to creating a "Junk Boosts"

Code Snippet

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/78930f2ed6570f30e356b5529bd4bcbe5194eb8b/boost-protocol/packages/evm/contracts/BoostCore.sol#L131

Tool used

Manual Review

Recommendation

In this type of case instead of setting it to address(0), directly revert the whole function, letting no "Junk boost" get created.