Omniscia Symbiosis Finance Audit

BridgeV2 Manual Review Findings

BV2-01M: Inexistent Sanitization of Commissions

Type	Severity	Location
Input Sanitization		BridgeV2.sol:L97-L103, L172-L178

Description:

The linked functions allow either the MPC or the owner to request and receive their commissions, however, all input arguments are blindly trusted and no sanitization occurs on those values.

Example:

contracts/synth-contracts/bridge-v2/BridgeV2.sol

97/**
98* @notice Get commission by MPC
99 */
100function getCommissionByMPC(address token, address to, uint256 amount) external onlyMPC returns (bool) {
101    TransferHelper.safeTransfer(token, to, amount);
102    return true;
103}

Recommendation:

As the contract is meant to retain funds at rest, we strongly advise this trait of the system to be re-evaluated and commissions to be tracked properly locally instead.

Alleviation:

The Symbiosis Finance team stated that this is intended behaviour as the contract is solely meant to retain commission funds at rest. As a result, we consider this exhibit null.

Omniscia Symbiosis Finance Audit

BridgeV2 Manual Review Findings

BridgeV2 Manual Review Findings

BV2-01M: Inexistent Sanitization of Commissions

Description:

Example:

Recommendation:

Alleviation:

Synthesis.sol (SYN-S)

MetaRouterV2.sol (MRV-M)

On this page