Omniscia Mean Finance Audit
Transformers Module Security Audit
Audit Overview
We were tasked with performing an audit of the Mean Finance codebase and in particular their transformer system allowing arbitrary logic contracts to be created that are meant to transform an asset to another (usually an underlying asset to a representation of it and vice versa).
Over the course of the audit, we identified an incorrect balance measurement within the TransformerRegistry that would cause all native-asset transformers to fail execution within the transformAllToDependent function along with other minor vulnerabilities within the code.
We advise the Mean Finance team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The Mean Finance team iterated through all findings in the report and provided us with an adequate response on each finding as well as stated which findings they deemed as negligible and thus will acknowledge.
All identified findings have been sufficiently alleviated in the latest commit hash provided to us by the Mean Finance team.
An additional PR was submitted to the codebase that introduced a _deadline argument in a similar lieu to other DeFi protocols (i.e. Uniswap) to ensure that transactions are executed timely and that the slippage values that were specified reflect non-stale market conditions.
No additional findings were identified in the code that introduced _deadline validation and as such the code is safe to merge with main.
Contracts Assessed
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 4 | 2 | 0 | 2 |
 | 3 | 3 | 0 | 0 |
 | 5 | 1 | 0 | 4 |
 | 2 | 2 | 0 | 0 |
 | 0 | 0 | 0 | 0 |
During the audit, we filtered and validated a total of 2 findings utilizing static analysis tools as well as identified a total of 12 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: