Macho Mocha Donkey - The assert() function in `BoostCore.sol::_makeIncentives` might cause a panic.

[sherlock-admin2]

Macho Mocha Donkey

Low/Info

The assert() function in BoostCore.sol::_makeIncentives might cause a panic.

Summary

The BoostCore Contract uses assert() in the _makeIncentives function, leading to a Panic error on failure and eliminating the use of error strings.

Vulnerability Detail

https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/BoostCore.sol#L266C1-L292C1

The _makeIncentives function uses the built-in assert function to verify the success of an external call, which is intended solely for testing, as stated in Solidity's documentation.

"Assert should only be used to test for internal errors, and to check invariants. Properly functioning code should never create a Panic, not even on invalid external input. If this happens, then there is a bug in your contract which you should fix. Language analysis tools can evaluate your contract to identify the conditions and function calls which will cause a Panic.”

more details :: https://docs.soliditylang.org/en/v0.8.27/control-structures.html#panic-via-assert-and-error-via-require

Impact

The assert function generates a Panic(uint256) error, similar to errors created by the compiler in specific situations outlined here: https://docs.soliditylang.org/en/v0.8.27/control-structures.html#panic-via-assert-and-error-via-require . This results in a Panic error upon failure, disallowing the use of error strings.

Code Snippet

285      assert(budget_.disburse(preflight));

Tool used

Manual code review

Recommendation

Utilize the require function or an if condition with a custom error instead of using assert.

         require(budget_.disburse(preflight), customError() );

[sherlock-admin2]

The protocol team fixed this issue in the following PRs/commits: https://github.com/boostxyz/boost-protocol/pull/200