Omniscia Myso Finance Audit
LoanProposalFactory Static Analysis Findings
LoanProposalFactory Static Analysis Findings
LPF-01S: Inexistent Sanitization of Input Addresses
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | LoanProposalFactory.sol:L18-L21, L23-L58 |
Description:
The linked function(s) accept address arguments yet do not properly sanitize them.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
contracts/peer-to-pool/LoanProposalFactory.sol
23function createLoanProposal(24 address _fundingPool,25 address _collToken,26 uint256 _arrangerFee,27 uint256 _unsubscribeGracePeriod,28 uint256 _conversionGracePeriod,29 uint256 _repaymentGracePeriod30) external {31 bytes32 salt = keccak256(32 abi.encodePacked(loanProposalImpl, msg.sender, loanProposals.length)33 );34 address newLoanProposal = Clones.cloneDeterministic(35 loanProposalImpl,36 salt37 );38 loanProposals.push(newLoanProposal);39 isLoanProposal[newLoanProposal] = true;40 ILoanProposalImpl(newLoanProposal).initialize(41 msg.sender,42 _fundingPool,43 _collToken,44 _arrangerFee,45 _unsubscribeGracePeriod,46 _conversionGracePeriod,47 _repaymentGracePeriod48 );49
50 emit LoanProposalCreated(51 newLoanProposal,52 _fundingPool,53 msg.sender,54 _collToken,55 _arrangerFee,56 _unsubscribeGracePeriod57 );58}Recommendation:
We advise some basic sanitization to be put in place by ensuring that each address specified is non-zero.
Alleviation (37cf23668be352a4eac5d1cbed262f116e54d94f):
All arguments of the function are properly validated in the Factory::createLoanProposal function of the singleton Factory instance, rendering this exhibit fully addressed.