ETH_2key_report.md

1.Summary

This is the report from a security audit performed on 2key by MrCrambo.

The audit focused primarily on the security of 2key smart contracts.

2.In scope

1. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyAdminStorage.sol
2. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyBaseReputationRegistryStorage.sol
3. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyCampaignValidatorStorage.sol
4. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyCommunityTokenPoolStorage.sol
5. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyDeepFreezeTokenPoolStorage.sol
6. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyEventSourceStorage.sol
7. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyExchangeRateContractStorage.sol
8. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyFactoryStorage.sol
9. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyLongTermTokenPoolStorage.sol
10. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyMaintainersRegistryStorage.sol
11. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyPlasmaEventsStorage.sol
12. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyPlasmaMaintainersRegistryStorage.sol
13. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyPlasmaRegistryStorage.sol
14. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyRegistryStorage.sol
15. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeySignatureValidatorStorage.sol
16. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/storage-contracts/ITwoKeyUpgradableExchangeStorage.sol
17. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/IDecentralizedNation.sol
18. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/IERC20.sol
19. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe//contracts/2key/interfaces/IGetImplementation.sol
20. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/IHandleCampaignDeployment.sol
21. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/IKyberNetworkProxy.sol
22. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/IMaintainingPattern.sol
23. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/IStructuredStorage.sol
24. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyAcquisitionARC.sol
25. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyAcquisitionCampaignERC20.sol
26. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyAcquisitionLogicHandler.sol
27. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyAdmin.sol
28. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyBaseReputationRegistry.sol
29. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyCampaignGetReferrers.sol
30. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyCampaignPublicAddresses.sol
31. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyCampaignValidator.sol
32. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyConversionHandler.sol
33. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyConversionHandlerGetConverterState.sol
34. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyDonationCampaign.sol
35. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyDonationCampaignFetchAddresses.sol
36. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyDonationConversionHandler.sol
37. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyDonationLogicHandler.sol
38. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyEventSource.sol
39. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyEventSourceEvents.sol
40. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyExchangeRateContract.sol
41. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyMaintainersRegistry.sol
42. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyPlasmaEvents.sol
43. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyPlasmaRegistry.sol
44. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyPurchasesHandler.sol
45. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyReg.sol
46. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyRegistry.sol
47. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyRegistryEvents.sol
48. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeySingletoneAddressStorage.sol
49. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeySingletoneRegistryFetchAddress.sol
50. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeySingletonesRegistry.sol
51. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/ITwoKeyWeightedVoteContract.sol
52. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/interfaces/IUpgradableExchange.sol
53. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/libraries/Call.sol
54. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/libraries/GetCode.sol
55. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/libraries/IncentiveModels.sol
56. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/libraries/SafeERC20.sol
57. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/libraries/SafeMath.sol
58. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/libraries/Utils.sol
59. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/token-pools/TokenPool.sol
60. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/token-pools/TwoKeyCommunityTokenPool.sol
61. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/token-pools/TwoKeyDeepFreezeTokenPool.sol
62. https://github.com/2key/contracts/blob/7aa8485ef3dc44e7fa443eb62d6ed75a86fc4ebe/contracts/2key/token-pools/TwoKeyLongTermTokenPool.sol
63. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/ITwoKeySingletonUtils.sol
64. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/StandardTokenModified.sol
65. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyAdmin.sol
66. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyBaseReputationRegistry.sol
67. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyCampaignValidator.sol
68. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyCongress.sol#L180
69. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyEconomy.sol
70. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyEventSource.sol
71. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyExchangeRateContract.sol
72. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyFactory.sol
73. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyLockupContract.sol
74. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyMaintainersRegistry.sol
75. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyPlasmaEvents.sol
76. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyPlasmaMaintainersRegistry.sol
77. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyPlasmaRegistry.sol
78. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyPlasmaSingletoneRegistry.sol
79. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyRegistry.sol
80. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeySignatureValidator.sol
81. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeySingletonesRegistry.sol
82. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyUpgradableExchange.sol
83. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyAdminStorage.sol
84. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyBaseReputationRegistryStorage.sol
85. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyCampaignValidatorStorage.sol
86. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyCommunityTokenPoolStorage.sol
87. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyDeepFreezeTokenPoolStorage.sol
88. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyEventSourceStorage.sol
89. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyExchangeRateStorage.sol
90. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyFactoryStorage.sol
91. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyLongTermTokenPoolStorage.sol
92. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyMaintainersRegistryStorage.sol
93. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyPlasmaEventsStorage.sol
94. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyPlasmaMaintainersRegistryStorage.sol
95. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyPlasmaRegistryStorage.sol
96. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyRegistryStorage.sol
97. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeySignatureValidatorStorage.sol
98. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-storage-contracts/TwoKeyUpgradableExchangeStorage.sol
99. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradability/Proxy.sol
100. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradability/StructuredStorage.sol
101. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradability/UpgradabilityProxy.sol
102. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradability/UpgradabilityStorage.sol
103. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradability/Upgradeable.sol
104. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradable-pattern-campaigns/ProxyCampaign.sol
105. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradable-pattern-campaigns/UpgradabilityCampaignStorage.sol
106. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradable-pattern-campaigns/UpgradeableCampaign.sol
107. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/ERC20.sol
108. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/InvoiceTokenERC20.sol
109. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/TwoKeyDonationCampaign.sol
110. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/TwoKeyDonationCampaignType.sol
111. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/TwoKeyDonationConversionHandler.sol
112. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/TwoKeyDonationLogicHandler.sol
113. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/campaign-mutual-contracts/ArcERC20.sol
114. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/campaign-mutual-contracts/TwoKeyCampaign.sol
115. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/campaign-mutual-contracts/TwoKeyCampaignIncentiveModels.sol
116. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/acquisition-campaign-contracts/TwoKeyAcquisitionCampaignERC20.sol
117. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/acquisition-campaign-contracts/TwoKeyAcquisitionLogicHandler.sol
118. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/acquisition-campaign-contracts/TwoKeyConversionHandler.sol
119. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/acquisition-campaign-contracts/TwoKeyPurchasesHandler.sol
120. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/DecentralizedNation.sol
121. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/ERC20CustomToken.sol
122. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/ERC20TokenMock.sol
123. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/Ownable.sol
124. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/TwoKeyAirdropCampaign.sol
125. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/TwoKeyConversionStates.sol
126. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/TwoKeyConverterStates.sol
127. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/TwoKeyTypes.sol
128. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/TwoKeyVoteToken.sol
129. https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/UpgradabilityProxyAcquisition.sol

3.Findings

In total, 26 issues were reported including:

• 1 critical severity issues.

• 1 high severity issues.

• 7 medium severity issues.

• 9 owner privilegies issues.

• 6 low severity issues.

• 2 notes.

Security issues

3.1. Owner privilegies

Severity: owner privilegies

Description

• Owner can freeze transfer and transferFrom functions any time without any restrictions.
• Owner can change voting rules without any restrictions and checking conditions in lines 312 and 313
• Owner can add new implementation of contract without any restrictions, there is possibility that this contracts will be not audited and will contain issues.
• Owner can change any uint value in TwoKeyUpgradableExchange contract as buy and sell rates, weiRaised valuet etc.
• Owner can change proxy logic contract any times and chan change it to not audited contract.
• Owner can add value to contractorBalance and to contractorTotalProceeds any time without restrictions.
• Owner can add value to contractorBalance and to contractorTotalProceeds any time without restrictions.
• Owner can change min contribution value and max contribution value any time without any checking and also there is no event call after chaning, but should be as described in functions description.
• Owner can add any contract and allow it, so this contracts could be not audited.

3.2. ERC-20 support

Severity: low

Description

ERC-20 interface contract should include totalSupply and allowance functions.

Recommendation

Add totalSupply and allowance functions to the contract.

3.3. Zero address checking

Severity: low

Description

In function setInitialParams there is no zero address checking for _erc20Address and twoKeySingletonesRegistry. Other function links in Code snippets.

Code snippets

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyEconomy.sol#L19

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyEventSource.sol#L134

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyLockupContract.sol#L51

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeySingletonesRegistry.sol#L55

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradability/StructuredStorage.sol#L39

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/upgradability/UpgradabilityProxy.sol#L26

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/TwoKeyDonationCampaign.sol#L38

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/TwoKeyDonationConversionHandler.sol#L82

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/acquisition-campaign-contracts/TwoKeyAcquisitionCampaignERC20.sol#L45

Recommendation

Add zero address checking.

require(_erc20Address != address(0));
require(twoKeySingletonesRegistry != address(0));

3.4. Wrong value passing

Severity: medium

Description

In function setInitialParams there is wrong value passing to function setInitialParameters(_erc20Address, TWO_KEY_SINGLETON_REGISTRY);, because in all other similar functions there is passing value from arguments of functions and also TWO_KEY_SINGLETON_REGISTRY variable not initialized in this contract.

Recommendation

There should be passed twoKeySingletonesRegistry instead of TWO_KEY_SINGLETON_REGISTRY.

setInitialParameters(_erc20Address, twoKeySingletonesRegistry);

3.5. Different arrays size

Severity: low

Description

In constructor there is possibility that arrays initialMembers, initialMemberNames and votingPowers will have different sizes. Other functions with similar issue below in Code snippets

Code snippets

• In function setMultipleFiatCurrencyDetails arrays _currencies and baseToTargetRates.

Recommendation

Add checking, that arrays' sizes are equal.

require(initialMembers.length == initialMemberNames.length && initialMemberNames.length == votingPowers.length)

3.6. Wrong membership address replacing

Severity: medium

Description

In function replaceMemberAddress there is setting old member info to new address in line 199, but memberAddress will still be old address, which should be replaced.

Recommedantion

Create new Member struct for replaced address with copying memberSince, votingPower and name.

3.7. Distribution date changing

Severity: medium

Description

In function changeTokenDistributionDate there is possibility of increasing date instead of decreasing, if newDate will be less than tokenDistributionDate. So new dates will be few days sooner instead of earlier.

Same issue occur in function changeDistributionDate in TwoKeyPurchasesHandler.sol contract

Recommendation

Use this code instead of current:

tokenUnlockingDate[i] = tokenUnlockingDate[i] - shift;

3.8. TODO comments

Severity: note

Description

There are lot of TODO comments left in code.

Code snippets

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyPlasmaEvents.sol#L148

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/singleton-contracts/TwoKeyPlasmaEvents.sol#L276

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/acquisition-campaign-contracts/TwoKeyConversionHandler.sol#L185

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/TwoKeyAirdropCampaign.sol#L118

3.9. Empty fallback function

Severity: low

Description

Fallback function is empty, but should call buyTokens function from this contract.

Recommendation

Add code below into fallback function.

buyTokens(msg.sender);

3.10. No event call

Severity: note

Description

There is no Transfer even call in construtor after transfering funds to owner.

Recommendation

Add following code to constructor after setting owner balance equal to totalSupply_

emit Transfer(address(0), msg.sender, totalSupply_);

3.11. Truncated value

Severity: medium

Description

• In function createConversion there is possiblity of truncated value in line 233
• In function getHowMuchLeftForUserToSpend there is truncation possibility in line 121 so leftToSpendInFiats will show wrong amount.

    uint totalAmountSpentConvertedToFIAT = (alreadyDonatedEthWEI*rate).div(10**18);
    uint limit = maxDonationAmountWei;
    uint leftToSpendInFiats = limit.sub(totalAmountSpentConvertedToFIAT);

• In function updateRefchainRewards there is truncation possibility in lines 201 and 203, so updateReferrerMappings(influencers[i], b, _conversionId); will use wrong b value in line 207.
• In line 342 in function buyTokensAndDistributeReferrerRewards there could be truncation, so value reservedAmount2keyForRewards will be wrong.

    totalBounty2keys = (_maxReferralRewardETHWei / (rate)) * (1000);
    reservedAmount2keyForRewards = reservedAmount2keyForRewards.add(totalBounty2keys);

3.12. Out of gas

Severity: high

Description

In function getReferrers there is possibility of out of gas error, because there is two while loops with another contract function call and in case n_influencers will be more than few thousands there could occur this error.

Similar issue in TwoKeyAcquisitionLogicHandler.sol contract.

Code snippets

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/TwoKeyDonationLogicHandler.sol#L229

https://github.com/2key/contracts/blob/c85f3e1f3a04c56afd28bf673758367cc3df6609/contracts/2key/donation-campaign-contracts/TwoKeyDonationLogicHandler.sol#L239

3.13. Wrong transferFrom function

Severity: low

Description

In function transferFrom there is adding conversionQuota to _to address balance, where conversionQuota is maximal ARC tokens that can be passed in transferFrom, but value will always be equal to 1. So in this function there will not be transfering tokens from one address to another, there will be burning from one and minting to another.

3.14. No checking for enough tokens

Severity: medium

Description

There is no checking that there will be enough tokens in line 344 in function buyTokensAndDistributeReferrerRewards as writed in TODO comment.

    //TODO: add require that there's enough tokens at this moment

Recommendation

Add checking that there is enough tokens.

3.15. Wrong condition checking

Severity: medium

Description

In function isCampaignEnded there is possiblity that campaignRaisedAlready will be more than campaignHardCapWei so in this case this function will retun false.

Recommendation

Check that campaignRaisedAlready is at least equal to campaignHardCapWei.

if(endCampaignWhenHardCapReached == true && campaignRaisedAlready >= campaignHardCapWei) {
    return true;
}

3.16. Empty if statement

Severity: low

Description

If statement in constructor has no code inside of it and could be deleted.

3.17. Anyone can transfer others tokens

Severity: critical

Description

Using function transferFrom anyone can transfer other addresses voting points to himself. There is no checking for person who call this function, so he can pass his address as to address and transfer himself anyones' voting points.

Recommendation

Better to use transfer function so only voting points' owners will be able to transfer their voting points.

3.18. Allowance function show wrong value

Severity: medium

Description

Function allowance show balanceOf functions' result and doesn't show the amount of tokens that an owner allowed to a spender. as writed in comment above function.

4.Conclusion

Smart contracts contain critical and high severity issues, please fix it before deploying.