Omniscia CloudFunding Audit
IOU2ERC20 Manual Review Findings
IOU2ERC20 Manual Review Findings
IOE-01M: Lock of EIP-20 Funds
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | IOU2ERC20.sol:L20 |
Description:
The initialize function of the IOU2ERC20 contract performs a greater-than-or-equal-to (>=) validation between the balance of the projectToken that the contract has and the totalOfferedIOU whilst it should be an inequality check.
Impact:
Any surplus tokens that exceed the totalOfferedIOU value will be unclaimable permanently.
Example:
14function initialize(address _iouToken, address _projectToken) external onlyOwner {15 require(iouToken == address(0), 'Already initialized');16 require(_iouToken != address(0) && _projectToken != address(0), 'Address Zero');17 iouToken = _iouToken;18 projectToken = _projectToken;19 require(20 IERC20(projectToken).balanceOf(address(this)) >= CrowdFunding(payable(iouToken)).totalOfferedIOU(),21 'Not enough tokens'22 );23}Recommendation:
We advise the check to be adjusted to a strict equality check (==) to ensure no funds remain permanently locked in the contract.
Alleviation:
The code has been adjusted to accept a prefunded flag and perform a safeTransferFrom operation from the caller to the contract ensuring that it is sufficiently funded in such a case, with a require check at the end ensuring that the assets held by the contract are sufficient. After discussion with the CloudFunding team, we concluded that the original check was proper and that an equality check could cause the contract to not be initialized properly in case funds have already been transmitted to it. As a result, we mark the exhibit as nullified.