Omniscia Congruent Audit
cCRV Manual Review Findings
cCRV Manual Review Findings
CRV-01M: Centralized Token Ownership
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | cCRV.sol:L14 |
Description:
The cCRV token will endow full minting rights to its deployer perpetually in addition to them being able to set arbitrary minter allocations.
Example:
13constructor () ERC20("Congruent CRV Token", "cCRV") {14 minters[owner()] = type(uint).max;15}16
17function setMinter(address minter, uint amount) external onlyOwner {18 minters[minter] = amount;19 emit SetMinter(minter, amount);20}Recommendation:
We advise this trait of the system to be revised and the minters to be initialized trustlessly by the other components of the system as currently the token can be arbitrarily minted by its owner.
Alleviation:
The code was updated to indicate that the owner will be a multisignature address and as such the security of ownership is somewhat heightened. As a result, we will consider this exhibit acknowledged.
CRV-02M: Inexistent Validation of Mint Operation
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | cCRV.sol:L22-L28 |
Description:
The mint function does not properly validate that a proper minting operation occurs and permits any account to mint zero units to an arbitrary address.
Example:
22function mint(address to, uint amount) external {23 if (amount > minters[msg.sender]) {24 amount = minters[msg.sender];25 }26 minters[msg.sender] -= amount;27 _mint(to, amount);28}Recommendation:
We advise the system to instead fail if the minting allowance is zero.
Alleviation:
The Congruent team considered this exhibit but opted not to apply a remediation for it in the current iteration of the codebase.