Omniscia CloudFunding Audit
CrowdFunding Static Analysis Findings
CrowdFunding Static Analysis Findings
CFG-01S: Inexistent Visibility Specifiers
| Type | Severity | Location |
|---|---|---|
| Code Style |  | CrowdFunding.sol:L46, L47, L55, L56 |
Description:
The linked variables have no visibility specifier explicitly set.
Example:
46mapping(uint256 => FtsoReward) pendingStakersRewards;Recommendation:
We advise them to be set so to avoid potential compilation discrepancies in the future as the current behaviour is for the compiler to assign one automatically which may deviate between pragma versions.
Alleviation:
The CloudFunding team has opted not to alleviate any informational or minor exhibits they disagree with, thus rendering this exhibit as acknowledged.
CFG-02S: Inexistent Sanitization of Input Address
| Type | Severity | Location |
|---|---|---|
| Input Sanitization |  | CrowdFunding.sol:L58-L70 |
Description:
The linked function accepts an address argument yet does not properly sanitize it.
Impact:
The presence of zero-value addresses, especially in constructor implementations, can cause the contract to be permanently inoperable. These checks are advised as zero-value inputs are a common side-effect of off-chain software related bugs.
Example:
58constructor(59 address _manager,60 address _projectOwner,61 uint256 _natLotSize,62 uint256 _tokenLotSize,63 uint256 _lotQty,64 uint256 _raiseDeadline,65 uint256 _stakingDuration,66 string memory _projectDescription,67 string memory _iouName,68 string memory _iouSymbol,69 uint8 _iouDecimals70) IOU(_iouName, _iouSymbol, _iouDecimals) {Recommendation:
We advise some basic sanitization to be put in place by ensuring that the address specified is non-zero.
Alleviation:
The CloudFunding team has opted not to alleviate any informational or minor exhibits they disagree with, thus rendering this exhibit as acknowledged.
CFG-03S: Improper Invocations of EIP-20 transfer
| Type | Severity | Location |
|---|---|---|
| Standard Conformity |  | CrowdFunding.sol:L349, L498 |
Description:
The linked statement do not properly validate the returned bool of the EIP-20 standard transfer function. As the standard dictates, callers must not assume that false is never returned.
Impact:
If the code mandates that the returned bool is true, this will cause incompatibility with tokens such as USDT / Tether as no such bool is returned to be evaluated causing the check to fail at all times. On the other hand, if the token utilized can return a false value under certain conditions but the code does not validate it, the contract itself can be compromised as having received / sent funds that it never did.
Example:
349wNat.transfer(to, totalRewards);Recommendation:
Since not all standardized tokens are EIP-20 compliant (such as Tether / USDT), we advise a safe wrapper library to be utilized instead such as SafeERC20 by OpenZeppelin to opportunistically validate the returned bool only if it exists in each instance.
Alleviation:
The CloudFunding team has stated that the transfer call is performed on a known token implementation and as such it is safe to execute it directly. As a result, we consider this exhibit nullified.