NFT Permission System Security Audit

Audit Report Revisions

Audit Overview

We were tasked with performing an audit of the Mean Finance codebase and in particular their NFT Permission System module.

Over the course of the audit, we identified a significant misbehaviour in how ownership changes are handled when burning / minting positions that could lead to permissions remaining valid for the next owner of an NFT under certain conditions.

Additionally, we identified a mismatch of the specification of the contract and its implementation as the contract should disallow interactions with the ERC721::_mint function in its current state.

We advise the Mean Finance team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.

Post-Audit Conclusion

The Mean Finance team iterated through all findings within the report and provided us with a revised commit hash to evaluate all exhibits on.

We evaluated all alleviations performed by Mean Finance and have identified that all exhibits have been adequately dealt with no outstanding issues remaining in the report.

Audit Synopsis

Severity	Identified	Alleviated	Partially Alleviated	Acknowledged
	0	0	0	0
	9	8	0	1
	1	1	0	0
	1	1	0	0
	1	1	0	0

During the audit, we filtered and validated a total of 1 findings utilizing static analysis tools as well as identified a total of 11 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they can introduce potential misbehaviours of the system as well as exploits.

Total Alleviations

The list below covers each segment of the audit in depth and links to the respective chapter of the report:

• 🎯 Scope
• 💻 Compilation
• 🔍 Static Analysis
• 👁️ Manual Review
• 🖋️ Code Style