Omniscia CloudFunding Audit
IOU2ERC20 Manual Review Findings
IOU2ERC20 Manual Review Findings
IOE-01M: Lock of EIP-20 Funds
Type | Severity | Location |
---|---|---|
Logical Fault | IOU2ERC20.sol:L20 |
Description:
The initialize
function of the IOU2ERC20
contract performs a greater-than-or-equal-to (>=
) validation between the balance of the projectToken
that the contract has and the totalOfferedIOU
whilst it should be an inequality check.
Impact:
Any surplus tokens that exceed the totalOfferedIOU
value will be unclaimable permanently.
Example:
14function initialize(address _iouToken, address _projectToken) external onlyOwner {15 require(iouToken == address(0), 'Already initialized');16 require(_iouToken != address(0) && _projectToken != address(0), 'Address Zero');17 iouToken = _iouToken;18 projectToken = _projectToken;19 require(20 IERC20(projectToken).balanceOf(address(this)) >= CrowdFunding(payable(iouToken)).totalOfferedIOU(),21 'Not enough tokens'22 );23}
Recommendation:
We advise the check to be adjusted to a strict equality check (==
) to ensure no funds remain permanently locked in the contract.
Alleviation:
The code has been adjusted to accept a prefunded
flag and perform a safeTransferFrom
operation from the caller to the contract ensuring that it is sufficiently funded in such a case, with a require
check at the end ensuring that the assets held by the contract are sufficient. After discussion with the CloudFunding team, we concluded that the original check was proper and that an equality check could cause the contract to not be initialized properly in case funds have already been transmitted to it. As a result, we mark the exhibit as nullified.