Omniscia Flisko Audit
IDO Manual Review Findings
IDO Manual Review Findings
IDO-01M: Incorrect Percentage Calculation
| Type | Severity | Location |
|---|---|---|
| Mathematical Operations | Major | IDO.sol:L309, L316, L323, L330, L337 |
Description:
The contribution percentage calculation of a particular user for a specified tier is in incorrect order.
Example:
contracts/IDO.sol
308tierAlloc = totalIdoTokens.mul(t1.perc).div(1000);309userPerc = t1.totalLocked.mul(100).div(t1.participant[msg.sender]);310idoTokenAmount = tierAlloc.mul(userPerc).div(1000);311swapTokenAmount = idoTokenAmount.div(swapPrice);312// swapTokenAmount = idoTokenAmount.mul(swapPrice).div(10 ** idoTokenDecimals).mul(10 ** swapTokenDecimals);313return (idoTokenAmount, swapTokenAmount, tierAlloc, userPerc);Recommendation:
We advise the contribution of the user to be divided by the total contributions instead of the other way around to properly calculate the user's proportion.
Alleviation:
The percentage calculations were corrected in the latest iteration.
IDO-02M: Inexplicable Administrative Functionality
| Type | Severity | Location |
|---|---|---|
| Logical Fault | Minor | IDO.sol:L373-L375 |
Description:
The setSwapPrice can be invoked an arbitrary amount of times changing the swap price at will.
Example:
contracts/IDO.sol
373function setSwapPrice(uint256 _price) external onlyOwner {374 swapPrice = _price;375}Recommendation:
We strongly recommend the function to be allowed to be invoked once, ensuring that users are fully aware of the swap price and a race-condition does not arise.
Alleviation:
A require check and flag was introduced to guard against repeated invocations.