Vulnerabilities Fixed on GitHub Not Updated On-Chain

[hrkmaster]

On DappRadar, I noticed that the on-chain contract address for Boson Protocol is 0xc477d038d5420c6a9e0b031712f61c5120090de9.

However, even though Boson Protocol has addressed certain vulnerabilities on GitHub, it appears that these corrections have not been reflected in the source code of the on-chain contract.

For instance, regarding the "Prevent renounceOwnership" vulnerability (see GitHub issue link: [https://github.com//issues/588]), the corresponding fix commit can be found on GitHub via this link: [https://github.com//pull/591/files].

Yet, I was unable to locate any source code updates related to this fix at the on-chain contract address 0xc477d038d5420c6a9e0b031712f61c5120090de9.

Could you explain why these fixes have not been promptly updated on-chain?

[zajck]

Hi @hrkmaster

The address 0xc477d038d5420c6a9e0b031712f61c5120090de9 is an ERC20 Boson token contract and it's not part of this repository. It's a rather standard ERC20 token and no vulnerabilities have been identified for it. If something was wrong with it, we'd need to shut it down and deploy a completely new instance on a new address, since the token contract is not upgradeable.

The issues in this repository refer to the implementation of the Boson Protocol itself. The biggest part of the protocol, which handles all offers, exchanges, funds etc. and it's common for all users (sellers, buyers) is developed using Diamond standard (EIP-2535), so we can add new features or fix bugs while preserving the same contract address. The protocol's diamond address is 0x59A4C19b55193D5a2EAD0065c54af4d516E18Cb5. However, the implementations are deployed on other addresses, which are listed here: https://github.com/bosonprotocol/boson-protocol-contracts/tree/main/addresses. So whenever we update part of the logic and release a new version, some of these addresses get updated.

Another part of the protocol are Boson Vouchers. They are ERC721 tokens that can be traded on all marketplaces that support it. Since every seller needs their own collection, we put that logic outside the diamond. Because every seller gets a different separate Boson Voucher contract, it results in better UX on secondary markets. Boson Vouchers are upgradeable as well, although we use a different proxy pattern. You can find the latest deployed Boson Voucher logic contract at 0x208e1180211959C9cAF9305Ff725aa5625484f69. You'll see that all the fixes (including the example you provided) for versions up to v2.3.0 are deployed on chain.

You can read more about the architecture on this page: https://github.com/bosonprotocol/boson-protocol-contracts/blob/main/docs/architecture.md