Omniscia KlimaDAO Audit

AltExercisepKLIMA Manual Review Findings

AltExercisepKLIMA Manual Review Findings

AEK-01M: Improper Wallet Deletion Path

Description:

The pushWalletChange does not prevent a user from setting themselves as the new wallet, permitting them to erase their terms data entry as the pullWalletChange function first assigns and then deletes the terms entry.

Example:

contracts/pKLIMA/regular/AltExercisepKLIMA.sol
669function pushWalletChange( address _newWallet ) external {
670 require( terms[ msg.sender ].percent != 0 );
671 walletChange[ msg.sender ] = _newWallet;
672}
673
674// Allows wallet to pull rights from an old address
675function pullWalletChange( address _oldWallet ) external {
676 require( walletChange[ _oldWallet ] == msg.sender, "wallet did not push" );
677
678 walletChange[ _oldWallet ] = address(0);
679 terms[ msg.sender ] = terms[ _oldWallet ];
680 delete terms[ _oldWallet ];
681}

Recommendation:

We advise a require check to be introduced ensuring that the msg.sender is not equal to the _newWallet.

Alleviation:

A require check was properly introduced preventing assigning self as the wallet change.

AEK-02M: Inexistent Validation of Data Validity

Description:

The setTerms function does not validate whether the _claimed and _max values have been properly set.

Example:

contracts/pKLIMA/regular/AltExercisepKLIMA.sol
637function setTerms(address _vester, uint _rate, uint _claimed, uint _max ) external {
638 require( msg.sender == owner, "Sender is not owner" );
639 require( _max >= terms[ _vester ].max, "cannot lower amount claimable" );
640 require( _rate >= terms[ _vester ].percent, "cannot lower vesting rate" );
641 require( _claimed >= terms[ _vester ].claimed, "cannot lower claimed" );
642 require( !IPOLY( pOLY ).isApprovedSeller( _vester ) );
643
644 terms[ _vester ] = Term({
645 percent: _rate,
646 claimed: _claimed,
647 max: _max
648 });
649}

Recommendation:

We advise a require check to be introduced ensuring that the value of _max is always greater-than-or-equal-to (>=) the value of _claimed.

Alleviation:

The value of _max is now properly mandated to be greater than the value of _claimed, alleviating this exhibit.