Review of the IDO contract: https://github.com/SoyFinance/smart-contracts/blob/ea172c78fb817600e6bca9e4919dc07d74646465/IDO/ido.sol
Performed by @Dexaran on 11/2/2021
Code snippet: https://github.com/SoyFinance/smart-contracts/blob/ea172c78fb817600e6bca9e4919dc07d74646465/IDO/ido.sol#L24-L28
Owner address is not assigned to any address by default. The contractr assigns owner upon initialization however: https://github.com/SoyFinance/smart-contracts/blob/ea172c78fb817600e6bca9e4919dc07d74646465/IDO/ido.sol#L248
In theory a third party interferer can call the initialization function to disrupt the deployment process.
Code snippet: https://github.com/SoyFinance/smart-contracts/blob/ea172c78fb817600e6bca9e4919dc07d74646465/IDO/ido.sol#L337
Usage of loops can cause high gas consumption. The contract does not allow user to specify how much iterations it should perform (claimBehalf function always works from round 1 to currentRound
) therefore it is possible that the contract will end in an unusable state where no one can claim their tokens.
This does not pose any significant threat if the total number of rounds is preliminarily known and it calculations show that function call will not exceed the gasLimit.
Code snippet: https://github.com/SoyFinance/smart-contracts/blob/ea172c78fb817600e6bca9e4919dc07d74646465/IDO/ido.sol#L338
The logical flow of the contract suggests that bets[i][user].usdValue
stores the value (in USD) contributed by a user during a specified round i
. This value is later used in calculations of how much SOY reward the user must receive. However the value of this variable is not zeroed out even when the user is already paid (within this function)
It is assumed that the value of lockedUntil
(here while non-zero) will prevent the user from invoking the reward calculation function twice for a round that was already paid.
This does not pose any threat in the current state of the contract but in case the logic of lockedUntil
is changed in future updates this may potentially break the function that pays rewards.
It may be reasonable to zero out the value of bets[i][user].usdValue
once reward is paid.
Code snippet:
There are requirements for tokens to be market as "allowed" in order to be accepted as payment by the IDO contract. However nobody can assign an "allowed" status to any token.
5. It is not clear what settings the contract should have for weekly / daily auctions (Note/ Documentation requirement)
It is assumed that the contract can be configured to be either (1) daily auction or (2) weekly auction. This same source code will be used to deploy both versions.
The IDO contract is used with proxy, so it shouldn't use values assigned in constructors.
On proxy deploying the parameter data set to
0x8129fc1c
to call functioninitialize()
to protect from third-party initializtion.We may use a smaller loop by setting
fromRound
andtoRound
to a smaller range.bets[i][user].usdValue
used as a marker of a round where users participate to reduce gas usage on reading an additional value from storage (it will save about 500 gas on each interaction).Fixed.
Documentation:
https://docs.google.com/document/d/1eouJkYGE-wtWhccAYaHCHdB8sLnEJ9N154ddMPYNzjc/edit
https://docs.google.com/spreadsheets/d/1eH67f_y1Tvx3HxzpJ8Fk2gFFI3HBBhkaRG7mdQa7tx4/edit#gid=435322608