Omniscia Mean Finance Audit
ProtocolTokenWrapperTransformer Manual Review Findings
ProtocolTokenWrapperTransformer Manual Review Findings
PTW-01M: Inexistent Validation of Array Length
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | ProtocolTokenWrapperTransformer.sol:L29, L34, L64, L74 |
Description:
The linked array input arguments are not validated as possessing a length of 1 which can cause significant issues in integrators of the system as they may "trust" the array input as an actual source of the deposited funds and credit the user inappropriately.
Example:
61/// @inheritdoc ITransformer62function transformToDependent(63 address _dependent,64 UnderlyingAmount[] calldata _underlying,65 address _recipient66) external payable returns (uint256 _amountDependent) {67 _amountDependent = _underlying[0].amount;68 _wrapAndTransfer(IWETH9(_dependent), _amountDependent, _recipient);69}Recommendation:
We advise the length to be properly validated as 1 in the referenced instances to ensure the codebase can be integrated with at all points of the Mean Finance ecosystem properly.
Alleviation (6ed56b5449ca241fc6be369d44f392f1f5313f93):
Length sanitization was introduced throughout all referenced functions thereby disallowing "spoofing" of amounts that were transformed and alleviating this exhibit in full.
PTW-02M: Improper payable Trait Definitions
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | ProtocolTokenWrapperTransformer.sol:L56, L76, L91 |
Description:
The referenced functions are all declared as payable, however, the contract does not handle any native funds within them.
Impact:
It is currently possible for native funds to be locked in the contract and solely redeemable via administrative processes, an inconvenience that can be avoided via proper programming practices.
Example:
51/// @inheritdoc ITransformer52function transformToUnderlying(53 address _dependent,54 uint256 _amountDependent,55 address _recipient56) external payable returns (UnderlyingAmount[] memory) {57 _takeFromSenderAndUnwrap(IWETH9(_dependent), _amountDependent, _recipient);58 return _toUnderylingAmount(PROTOCOL_TOKEN, _amountDependent);59}60
61/// @inheritdoc ITransformer62function transformToDependent(63 address _dependent,64 UnderlyingAmount[] calldata _underlying,65 address _recipient66) external payable returns (uint256 _amountDependent) {67 _amountDependent = _underlying[0].amount;68 _wrapAndTransfer(IWETH9(_dependent), _amountDependent, _recipient);69}Recommendation:
We advise the payable modifiers from the referenced functions and the receive function declaration to be omitted from the codebase as they can lead to loss of funds and do not affect the functionality of other contracts such as Multicall as a delegatecall with zero ether is identical to a call to a non-payable function.
Alleviation (6ed56b5449ca241fc6be369d44f392f1f5313f93):
The Mean Finance team evaluated this exhibit but opted not to apply a remediation for it in the current version of the codebase as they deem it a non-issue. As a result, we consider the exhibit acknowledged.