Omniscia Mean Finance Audit
Token Manual Review Findings
Token Manual Review Findings
TNE-01M: Potentially Invalidated Assumption
| Type | Severity | Location |
|---|---|---|
| Mathematical Operations |  | Token.sol:L78-L79 |
Description:
The Token::distributeTo function assumes that the _distribution being processed is composed of recipients that are not equal to the contract the code is being executed on, however, this is not guaranteed.
Impact:
The Token::distributeTo function performs an unchecked subtraction on the _amountLeft value that may overflow if a distribution recipient is the logic contact itself given that the balance will remain available for the next distribution.
Example:
63function distributeTo(64 address _token,65 DistributionTarget[] calldata _distribution66)67 internal68 returns (uint256 _available)69{70 _available = balanceOnContract(_token);71 uint256 _amountLeft = _available;72
73 // Distribute amounts74 for (uint256 i; i < _distribution.length - 1;) {75 uint256 _toSend = _available * _distribution[i].shareBps / 10_000;76 sendAmountTo(_token, _toSend, _distribution[i].recipient);77 unchecked {78 // We know that _toSend <= _amountLeft because if it wasn't, sendAmountTo would have reverted79 _amountLeft -= _toSend;80 ++i;81 }82 }83
84 // Send amount left to the last recipient85 sendAmountTo(_token, _amountLeft, _distribution[_distribution.length - 1].recipient);86}Recommendation:
We advise the code to perform the _amountLeft subtraction using checked arithmetics as the gas cost is minimal and protects against multiple types of exploits, including self-transfers (that can thus exceed the 10_000 BPS number and still succeed) as well as potential re-entrancy attack vectors that take advantage of that.
Alleviation:
The Mean Finance team evaluated this exhibit and relocated the _amountLeft subtraction outside the unchecked code block, ensuring that the edge-case condition referenced here will fail with a clearer error.