Moxie Token Vesting Pro League
Findings & Analysis Report
2024-07-24
Table of contents
Overview
About C4
Code4rena (C4) is an open organization consisting of security researchers, auditors, developers, and individuals with domain expertise in smart contracts.
A C4 Pro League Audit is an event where elite tier Code4rena contributors, commonly referred to as wardens, reviews, audits and analyzes smart contract logic in exchange for a bounty provided by sponsoring projects.
During the Pro League audit outlined in this document, C4 conducted an analysis of the Moxie smart contract system written in Solidity. The audit took place between June 11 - July 12, 2024.
Wardens
2 Wardens contributed to Moxie:
Final report assembled by bytes032, thebrittfactor and Sentinel
Summary
The C4 Pro League analysis yielded no HIGH or MEDIUM severity vulnerabilities.
Additionally, C4 Pro League analysis included 1 finding with a risk rating of LOW severity.
Scope
The source code was delivered to Code4rena in a private Git repository.
Severity Criteria
C4 assesses the severity of disclosed vulnerabilities based on three primary risk categories: high, medium, and low/non-critical.
High-level considerations for vulnerabilities span the following key areas when conducting assessments:
- Malicious Input Handling
- Escalation of privileges
- Arithmetic
- Gas use
For more information regarding the severity criteria referenced throughout the submission review process, please refer to the documentation provided on the C4 website, specifically our section on Severity Categorization.
Low Risk Findings (1)
[L-1] Delta logic could be sidestepped if address that can pull tokens is added
Impact
require(_tokenDestinations.add(_dst), "Destination already added");
Risk of sidestep if a contract that can pull tokens is added:
Explanation
Since the fallback
uses a delta balances
uint256 diff = oldBalance.sub(newBalance);
usedAmount = usedAmount.add(diff);
Pulling tokens that are approved will completely sidestep this mechanism and will allow moving all tokens before they are vested.
NOTE
This will be safe when using MoxieBondingCurve
and SubjectFactory
and EasyAuction
as the only _tokenDestinations
Additional instances
The tokenManager
could also offer the same vector:
address subjectToken = tokenManager.tokens(_subject);
Moxie
Acknowledged
C4 Pro League
Informational
Disclosures
C4 is an open organization governed by participants in the community.
C4 audits incentivize the discovery of exploits, vulnerabilities, and bugs in smart contracts. Security researchers are rewarded at an increasing rate for finding higher-risk issues. Audit submissions are judged by a knowledgeable security researcher and solidity developer and disclosed to sponsoring developers. C4 does not conduct formal verification regarding the provided code but instead provides final verification.
C4 does not provide any guarantee or warranty regarding the security of this project. All smart contract software should be used at the sole risk and responsibility of users.