Omniscia Tokemak Network Audit

TokeVotePool Manual Review Findings

TVP-01M: Unsanitized State Transition

Type	Severity	Location
Logical Fault	Minor	TokeVotePool.sol:L244-L248

Description:

The setEventSend function should only set the _eventSend value to true when the values of the destinations struct have been set.

Example:

contracts/pools/TokeVotePool.sol

244function setEventSend(bool _eventSendSet) external override onlyOwner {
245    _eventSend = _eventSendSet;
246
247    emit EventSendSet(_eventSendSet);
248}

Recommendation:

We advise such sanitization to be imposed via corresponding require checks as otherwise almost all functions will become inexecutable.

Alleviation:

The function can now only be executed when the destinations.destinationOnL2 value has been set.

TVP-02M: Incorrect Function Visibility

Type	Severity	Location
Logical Fault	Informational	TokeVotePool.sol:L150

Description:

The linked function is set as public, allowing anyone to trigger a balance update event for a particular address.

Example:

contracts/pools/TokeVotePool.sol

150function triggerBalanceUpdateEvent(address[] memory _addresses) public {
151    bytes32 eventSig = "Withdrawal Request";        
152        for (uint256 i = 0; i < _addresses.length; i++) {
153            encodeAndSendData(eventSig, _addresses[i]);
154        }
155
156    emit BalanceEventUpdated(_addresses);
157}

Recommendation:

We advise it to be set as only internal as it should not be exposed publicly to limit the contract's attack surface.

Alleviation:

The Tokemak team has stated that there is no harm in the function's exposure and that it should remain as is.

Omniscia Tokemak Network Audit

TokeVotePool Manual Review Findings

TokeVotePool Manual Review Findings

TVP-01M: Unsanitized State Transition

Description:

Example:

Recommendation:

Alleviation:

TVP-02M: Incorrect Function Visibility

Description:

Example:

Recommendation:

Alleviation:

TokeMigrationPool.sol (TMP-M)

VoteTracker.sol (VTR-M)

On this page