Omniscia Swisscoast Audit
TokenScript Manual Review Findings
TokenScript Manual Review Findings
TST-01M: Potentially Incorrect Token Script Integration
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | TokenScript.sol:L20, L24, L28, L32, L36, L40 |
Description:
The TokenScript implementation has not been updated to be compatible with native HTS tokens, and will solely function as expected with pure EIP-20 tokens.
Impact:
The TokenScript contract has not been updated to be compliant with the Hedera blockchain and specifically the HTS token system.
Example:
packages/contracts/contracts/Proxy/TokenScript.sol
9contract TokenScript is CheckContract {10 string constant public NAME = "TokenScript";11
12 IERC20 immutable token;13
14 constructor(address _tokenAddress) public {15 checkContract(_tokenAddress);16 token = IERC20(_tokenAddress);17 }18
19 function transfer(address recipient, uint256 amount) external returns (bool) {20 token.transfer(recipient, amount);21 }22
23 function allowance(address owner, address spender) external view returns (uint256) {24 token.allowance(owner, spender);25 }26
27 function approve(address spender, uint256 amount) external returns (bool) {28 token.approve(spender, amount);29 }30
31 function transferFrom(address sender, address recipient, uint256 amount) external returns (bool) {32 token.transferFrom(sender, recipient, amount);33 }34
35 function increaseAllowance(address spender, uint256 addedValue) external returns (bool) {36 token.increaseAllowance(spender, addedValue);37 }38
39 function decreaseAllowance(address spender, uint256 subtractedValue) external returns (bool) {40 token.decreaseAllowance(spender, subtractedValue);41 }42}Recommendation:
We advise the contract to properly inherit the BaseHST implementation and to implement HTS token related functionality.
Alternatively, we advise the implementation to be removed from the codebase so as to avoid misleading potential integrators of the code.
Alleviation (04618e407bddce5b22e9cadd787fd3334bd3afe6):
The relevant script has been removed from the codebase per the latter of our two recommendations, addressing this exhibit.