Assessment reportsPublic findings
Back to Zellic site
Assessment reports>DexFi Factory>Informational findings>Connector data is not cleared when profit tokens or farms are removed from the allowlist
GeneralOverview
Findings
High (1)
Informational (1)Connector data is not cleared when profit tokens or farms are removed from the allowlist
DiscussionWhitelist removal is irreversibleAmbiguity in the name vaultImplementationMisaligned validation for initialPriceNativeAmountTest suite
Audit ResultsAssessment Results
Category: Business Logic

Connector data is not cleared when profit tokens or farms are removed from the allowlist

Informational Severity
Informational Impact
N/A Likelihood

Description

The removeProfitTokensWhitelist function does not clear data in the profitTokenConnector storage mapping. Consequently, calls to profitTokenConnector may return outdated connector information after the associated profit-token beacon is removed from the whitelist.

Similarly, the removeFarmsWhitelist function does not clear data in the farmCalculationConnector mapping.

Impact

Data queried from profitTokenConnector and farmCalculationConnector might correspond to profit tokens or farms that are no longer on the whitelist.

Recommendations

We recommend clearing the relevant connector data within the removeProfitTokensWhitelist and removeFarmsWhitelist functions when items are removed.

Remediation

DexFi provided the following response to this finding:

We do not remove calculateConnector when removing profitToken from the factory, as there are vaults that used this profit token when creating the vault before its removal; therefore, there is a need to access the data on this calculateConnector. The removeProfitTokensWhitelist will simply prevent the creation of new vaults with this profitToken.

Similarly to ProfitToken (for removeFarmsWhitelist).

Zellic © 2025Back to top ↑