Omniscia Flourishing Capital Audit
Token Implementation Security Audit
We were tasked with auditing the codebase of Flourishing Capital and in particular their unique timestamp-based vesting token implementation that is meant to seamlessly unvest tokens as they become gradually available.
We identified two major issues in the codebase; the first causes it to misbehave and improperly apply the vesting schedules a particular user is meant to be enforced with and the second breaks the expected approve function conformity with the ERC-20 / EIP-20 specification, thus causing the token to be incompatible with most DeFi applications.
The code style should also be updated to conform with the official Solidity style guide and the test cases of the project need to be expanded to account for a wider array of possibilities. We strongly urge the Flourishing Capital team to remediate the issues identified by the report as soon as possible to ensure the codebase comes to a production ready state.
In the latest iteration of the codebase, significant elements were introduced that render the new version of the codebase vastly different from the originally audited one. The changes introduced were not newly audited and should not be considered as being in scope of this audit.
| Files in Scope | Repository | Commit(s) |
|---|---|---|
| ERC20VestableInTimestamp.sol (ERC) | token | 19765cb261, f3067d5682, 146c447a61 |
| FlourishingAIToken.sol (FAI) | token | 19765cb261, f3067d5682, 146c447a61 |
During the audit, we filtered and validated a total of 4 findings utilizing static analysis tools as well as identified a total of 11 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: