Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

BoostController: Inconsistent and Incorrect Error Handling for Address Validation

elegantart306

Summary

The BoostController contract uses mismatched error types for address validations and inconsistently reverts pool support checks, leading to misleading error messages and integration risks. While not directly exploitable, these flaws degrade code quality and complicate debugging.

Vulnerability Details

1. Incorrect Error Types for Address Checks

updateUserBoost() incorrectly uses InvalidPool when validating the user address:

if (user == address(0)) revert InvalidPool(); // Should be InvalidUser/InvalidAddress
delegateBoost() incorrectly uses InvalidPool when checking the to address:

if (to == address(0)) revert InvalidPool(); // Should be InvalidAddress

2. Inconsistent Pool Support Errors

_calculateBoost() reverts with PoolNotSupported():

if (!supportedPools[pool]) revert PoolNotSupported();
calculateBoost() reverts with UnsupportedPool() for the same condition:

if (!supportedPools[pool]) revert UnsupportedPool();

Impact:

Misleading Errors: Developers and users receive incorrect error types (e.g., InvalidPool instead of InvalidUser), causing confusion during debugging.
Integration Risks: External systems (e.g., UIs, bots) relying on specific error messages for handling pool checks may fail due to inconsistency (PoolNotSupported vs. UnsupportedPool).
Code Quality Degradation: Poor error hygiene complicates maintenance and increases technical debt.

Impact

Severity: Low

No Direct Exploit: These issues do not enable fund theft or protocol manipulation.
Indirect Risks: Increased development overhead, potential integration failures, and eroded trust if users encounter nonsensical errors.

Tools Used

Manual code review to identify address validation and error handling patterns.
Cross-referencing error usage across functions.

Recommendations

Standardize Error Messages:
- Use a single error (e.g., PoolNotSupported) for all pool support checks.
- Replace misused errors (e.g., InvalidPool in address checks) with relevant types like InvalidUser or InvalidAddress.
Add Missing Validations:
- In delegateBoost(), ensure the to address is a valid pool:
  
  solidity
  
  Copy
  
  require(supportedPools[to], "PoolNotSupported");
Audit Error Usage:
- Refactor all instances where address(0) is checked to use InvalidAddress instead of InvalidPool or other irrelevant errors.
Document Errors:
- Create a clear error code table in the contract documentation to guide integrators.

Example Fixes:

// Define standardized errors

error InvalidAddress();

error PoolNotSupported();

// Corrected checks in updateUserBoost

if (user == address(0)) revert InvalidAddress();

// Corrected checks in delegateBoost

if (to == address(0)) revert InvalidAddress();

if (!supportedPools[to]) revert PoolNotSupported();

// Unified pool support check

function calculateBoost(...) external view ... {

if (!supportedPools[pool]) revert PoolNotSupported(); // Replaces UnsupportedPool

}

This improves code clarity, reduces integration risks, and ensures consistent protocol behavior.

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!