Omniscia CloudFunding Audit
Crowdfunding System Security Audit
Audit Overview
We were tasked with performing an audit of CloudFunding and in particular their Flare Network-specific crowdfunding implementation meant to allow a complex crowdfunding mechanism with FTSO rewards distributed either to the participatns of the crowdfunding campaign or to the project owners depending on the raise status.
Over the course of the audit, we identified a significant flaw in the way capital accounting is performed by the CapitalAccounting contract that can significantly affect the project's operation.
We advise the CloudFunding team to closely evaluate all minor-and-above findings identified in the report and promptly remediate them as well as consider all optimizational exhibits identified in the report.
Post-Audit Conclusion
The CloudFunding team reviewed the audit report and produced a detailed PDF document explaining why certain exhibits should be nullified as well as expressing their disagreement with certain others.
We would like to note that all static analysis findings are not opinionated, they are the outputs of automatic tools. Whilst disagreement with certain findings such as zero-address checks is valid, the static analysis output exists and is listed as is.
Additionally, on the topic of compilation locking the compilation version at the contract level is actually advised practice throughout the Solidity development community because the acceptable syntax of the language can change between sub-versions as the Solidity language is still in "beta" based on its semver.
While libraries do have open-ended pragma statements, it is ill-advised to not lock the compilation version in the codebase of the contracts during development as behaviour can significantly change between "PATCH" versions using the semver classification.
To conclude, all findings of the report have been adequately addressed via either supplemental material provided by the CloudFunding team or by changes applied to the codebase.
Contracts Assessed
Audit Synopsis
| Severity | Identified | Alleviated | Partially Alleviated | Acknowledged |
|---|---|---|---|---|
 | 0 | 0 | 0 | 0 |
 | 9 | 1 | 0 | 8 |
 | 5 | 3 | 0 | 2 |
 | 2 | 2 | 0 | 0 |
 | 1 | 1 | 0 | 0 |
During the audit, we filtered and validated a total of 3 findings utilizing static analysis tools as well as identified a total of 14 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: