Omniscia Mean Finance Audit
CollectableDust Manual Review Findings
CollectableDust Manual Review Findings
CDT-01M: Inexistent Validation of Asset Transfer
| Type | Severity | Location |
|---|---|---|
| Centralization Concern | ![]() | CollectableDust.sol:L35, L37 |
Description:
The contract name (CollectableDust) alludes to a system that permits an authorized party to withdraw any leftover funds from the contract rather than have total control over all assets held by it.
Example:
solidity/contracts/utils/CollectableDust.sol
27/// @inheritdoc ICollectableDust28function sendDust(29 address _token,30 uint256 _amount,31 address _recipient32) external onlyGovernor {33 if (_recipient == address(0)) revert DustRecipientIsZeroAddress();34 if (_token == PROTOCOL_TOKEN) {35 payable(_recipient).sendValue(_amount);36 } else {37 IERC20(_token).safeTransfer(_recipient, _amount);38 }39 emit DustSent(_token, _amount, _recipient);40}Recommendation:
We advise the sendDust function to be revised by imposing input sanitization on the _token and _amount arguments as they should not be able to tap into assets that are utilized by the contract that inherits CollectableDust.
Alleviation (6ed56b5449ca241fc6be369d44f392f1f5313f93):
The Mean Finance team evaluated this exhibit but opted not to apply a remediation for it in the current version of the codebase as they deem it a non-issue. As a result, we consider the exhibit acknowledged.
