Review of the IDO contract: https://github.com/SoyFinance/smart-contracts/blob/ea172c78fb817600e6bca9e4919dc07d74646465/IDO/ido.sol
Performed by @Dexaran on 11/2/2021
1. Ownership assignment is commented out by default (Low)
Owner address is not assigned to any address by default. The contractr assigns owner upon initialization however: https://github.com/SoyFinance/smart-contracts/blob/ea172c78fb817600e6bca9e4919dc07d74646465/IDO/ido.sol#L248
In theory a third party interferer can call the initialization function to disrupt the deployment process.
2. Usage of loops (Low)
Usage of loops can cause high gas consumption. The contract does not allow user to specify how much iterations it should perform (claimBehalf function always works from round 1 to
currentRound) therefore it is possible that the contract will end in an unusable state where no one can claim their tokens.
This does not pose any significant threat if the total number of rounds is preliminarily known and it calculations show that function call will not exceed the gasLimit.
usdValue of a user is never zeroed out (Note/ Indirect logical expressions)
The logical flow of the contract suggests that
bets[i][user].usdValue stores the value (in USD) contributed by a user during a specified round
i. This value is later used in calculations of how much SOY reward the user must receive. However the value of this variable is not zeroed out even when the user is already paid (within this function)
It is assumed that the value of
lockedUntil (here while non-zero) will prevent the user from invoking the reward calculation function twice for a round that was already paid.
This does not pose any threat in the current state of the contract but in case the logic of
lockedUntil is changed in future updates this may potentially break the function that pays rewards.
It may be reasonable to zero out the value of
bets[i][user].usdValue once reward is paid.
allowedToken mapping is not assigned (High)
There are requirements for tokens to be market as "allowed" in order to be accepted as payment by the IDO contract. However nobody can assign an "allowed" status to any token.
5. It is not clear what settings the contract should have for weekly / daily auctions (Note/ Documentation requirement)
It is assumed that the contract can be configured to be either (1) daily auction or (2) weekly auction. This same source code will be used to deploy both versions.