KlimaCirculatingSupplyContract Manual Review Findings

KCS-01M: Inexistent Validation of Duplicates

Description:

The _nonCirculatingAddresses array is simply overridden within the contract and it is not validated to not contain duplicates.

Example:

Copy
330function setNonCirculatingKLIMAAddresses( address[] calldata _nonCirculatingAddresses ) external returns ( bool ) {
331    require( msg.sender == owner, "Sender is not owner" );
332    nonCirculatingKLIMAAddresses = _nonCirculatingAddresses;
333
334    return true;
335}

Recommendation:

We advise proper sanitization to be imposed to prevent the same entry from being duplicated within the array.

Alleviation:

The KlimaDAO team considered this exhibit but opted to retain the codebase in its current state as it is an administrative function that should have minimal gas overhead.