Omniscia WallFair Audit
Token Vesting Security Audit
We were tasked with performing an audit on the WallFair codebase and in particular their token and vesting implementation.
The token is a standard ERC20 token with an at-initialization minted supply of tokens that can then no longer be increased while the vesting contract is a straightforward vesting implementation that applies the same parameters to all its members specified at creation.
The design of the vesting implementation does not sanitize its state transitions and can easily be lead to an inexecutable state given that it assumes the tokens for the vesting schedules will be funded beyond creation.
We advise this design to instead be shifted and to declare a dedicated function that allows a vesting member to be introduced and the contract to be funded at that point via a transferFrom call thus guaranteeing that there are sufficient funds to pay out the vesting schedule.
Overall, the codebase has been developed conformant to the latest security and code standards.
| Files in Scope | Repository | Commit(s) |
|---|---|---|
| TokenLock.sol (TLK) | WFAIR-Token | 4c13bfc5c2, 05dd066cda |
| WFAIRToken.sol (WFA) | WFAIR-Token | 4c13bfc5c2, 05dd066cda |
During the audit, we filtered and validated a total of 2 findings utilizing static analysis tools as well as identified a total of 5 findings during the manual review of the codebase. We strongly recommend that any minor severity or higher findings are dealt with promptly prior to the project's launch as they introduce potential misbehaviours of the system as well as exploits.
The list below covers each segment of the audit in depth and links to the respective chapter of the report: