Omniscia KlimaDAO Audit
AltExercisepKLIMA Manual Review Findings
AltExercisepKLIMA Manual Review Findings
AEK-01M: Improper Wallet Deletion Path
Type | Severity | Location |
---|---|---|
Logical Fault | Minor | AltExercisepKLIMA.sol:L669-L672 |
Description:
The pushWalletChange
does not prevent a user from setting themselves as the new wallet, permitting them to erase their terms
data entry as the pullWalletChange
function first assigns and then deletes the terms
entry.
Example:
669function pushWalletChange( address _newWallet ) external {670 require( terms[ msg.sender ].percent != 0 );671 walletChange[ msg.sender ] = _newWallet;672}673
674// Allows wallet to pull rights from an old address675function pullWalletChange( address _oldWallet ) external {676 require( walletChange[ _oldWallet ] == msg.sender, "wallet did not push" );677
678 walletChange[ _oldWallet ] = address(0);679 terms[ msg.sender ] = terms[ _oldWallet ];680 delete terms[ _oldWallet ];681}
Recommendation:
We advise a require
check to be introduced ensuring that the msg.sender
is not equal to the _newWallet
.
Alleviation:
A require
check was properly introduced preventing assigning self as the wallet change.
AEK-02M: Inexistent Validation of Data Validity
Type | Severity | Location |
---|---|---|
Input Sanitization | Minor | AltExercisepKLIMA.sol:L637, L646, L647 |
Description:
The setTerms
function does not validate whether the _claimed
and _max
values have been properly set.
Example:
637function setTerms(address _vester, uint _rate, uint _claimed, uint _max ) external {638 require( msg.sender == owner, "Sender is not owner" );639 require( _max >= terms[ _vester ].max, "cannot lower amount claimable" );640 require( _rate >= terms[ _vester ].percent, "cannot lower vesting rate" );641 require( _claimed >= terms[ _vester ].claimed, "cannot lower claimed" );642 require( !IPOLY( pOLY ).isApprovedSeller( _vester ) );643
644 terms[ _vester ] = Term({645 percent: _rate,646 claimed: _claimed,647 max: _max648 });649}
Recommendation:
We advise a require
check to be introduced ensuring that the value of _max
is always greater-than-or-equal-to (>=
) the value of _claimed
.
Alleviation:
The value of _max
is now properly mandated to be greater than the value of _claimed
, alleviating this exhibit.