Omniscia Mean Finance Audit

CollectableDust Manual Review Findings

CDT-01M: Inexistent Validation of Asset Transfer

Type	Severity	Location
Centralization Concern		CollectableDust.sol:L35, L37

Description:

The contract name (CollectableDust) alludes to a system that permits an authorized party to withdraw any leftover funds from the contract rather than have total control over all assets held by it.

Example:

solidity/contracts/utils/CollectableDust.sol

27/// @inheritdoc ICollectableDust
28function sendDust(
29  address _token,
30  uint256 _amount,
31  address _recipient
32) external onlyGovernor {
33  if (_recipient == address(0)) revert DustRecipientIsZeroAddress();
34  if (_token == PROTOCOL_TOKEN) {
35    payable(_recipient).sendValue(_amount);
36  } else {
37    IERC20(_token).safeTransfer(_recipient, _amount);
38  }
39  emit DustSent(_token, _amount, _recipient);
40}

Recommendation:

We advise the sendDust function to be revised by imposing input sanitization on the _token and _amount arguments as they should not be able to tap into assets that are utilized by the contract that inherits CollectableDust.

Alleviation (6ed56b5449ca241fc6be369d44f392f1f5313f93):

The Mean Finance team evaluated this exhibit but opted not to apply a remediation for it in the current version of the codebase as they deem it a non-issue. As a result, we consider the exhibit acknowledged.

Omniscia Mean Finance Audit

CollectableDust Manual Review Findings

CollectableDust Manual Review Findings

CDT-01M: Inexistent Validation of Asset Transfer

Description:

Example:

Recommendation:

Alleviation (6ed56b5449ca241fc6be369d44f392f1f5313f93):

TransformerRegistry.sol (TRY-S)

ERC4626Transformer.sol (ERC-M)

On this page