The code is exploitable, and not just by an evil oper but by users as well. All one needs to do is get you to join #$q (which is a valid channel name) to be able to make you quit IRC (/q is a /quit default alias, or at least something a lot of users have installed). It may not be possible to cram $findfile in there (main issue being that commas are treated as channel delimiters) but apart from the fact that a less serious exploit is still an exploit, you don't want to make assumptions about the attacker's creativity.
