TokenPool Manual Review Findings

TPL-01M: Inexistent Reversal of Authority

Description:

The addWhitelist function is a one-way function to authorize a designated party as able to transact the full balance of any token held by the contract.

Example:

Copy
40function addWhitelist(address account) external onlyOwner {
41    require(account != address(0));
42    whitelists[account] = true;
43}

Recommendation:

We advise the system to be slightly restructured as a precautionary security measure. Firstly, we advise a method to be coded to remove individuals from the whitelist. This would potentially allow the owner of the contract to "race" a malicious transaction and salvage the action of a misbehaving whitelisted member. Lastly, we recommend a cap-based approach to be utilized instead whereby a whitelisted member is only able to transact up to a specified cap which is consumed on each transaction and can be refreshed. This guarantees that at any given point in time a small amount of capital will be at risk.

Alleviation:

A removeWhitelist function was added with the onlyOwner modifier alleviating this exhibit.