This is the report from a security audit performed on W12-Product-Blockchain-Protocol by gorbunovperm.
W12 is an open protocol for the creation of DAOs. The protocol consists of smart contract templates (no programming skills required), DAO governance and a decentralized oracles network that controls execution of the project roadmap and milestones.
All files from contracts/ path with 893ae9f7161b3e3e794872c6e88cd5dcae807265 commit hash.
In total, 2 issues were reported including:
-
0 high severity issue.
-
0 medium severity issues.
-
2 low severity issues.
-
0 minor observations.
The _value parameter is not checked for a zero value. In case if _value is zero the condition in line 182 will be true and a vesting time will be added to vestingTimes array each call of vestingTransfer function with zero of _value parameter. Thus, duplicate values will be accumulated in the vestingTimes array.
And if after zero value vestingTransfer will be transfer with positive value, then accountBalance function will not work correctly. For each duplicated vestingTime the balance will be subtracted.
It can happen by accident or maliciously.
Use check for zero value of _value parameter. Or check for duplicates in vestingTimes array.
- The user can learn in advance about the
decreaseApprovalcall. And can use the funds that will not be available to him after the transaction withdecreaseApprovalcall. - Lack of transaction handling mechanism issue. More details here
There is no serious vulnerabilities.