Moxie Token Vesting Pro League
Findings & Analysis Report

2024-07-24

Table of contents

Overview

About C4

Code4rena (C4) is an open organization consisting of security researchers, auditors, developers, and individuals with domain expertise in smart contracts.

A C4 Pro League Audit is an event where elite tier Code4rena contributors, commonly referred to as wardens, reviews, audits and analyzes smart contract logic in exchange for a bounty provided by sponsoring projects.

During the Pro League audit outlined in this document, C4 conducted an analysis of the Moxie smart contract system written in Solidity. The audit took place between June 11 - July 12, 2024.

Wardens

2 Wardens contributed to Moxie:

  1. GalloDaSballo
  2. hickuphh3

Final report assembled by bytes032, thebrittfactor and Sentinel

Summary

The C4 Pro League analysis yielded no HIGH or MEDIUM severity vulnerabilities.

Additionally, C4 Pro League analysis included 1 finding with a risk rating of LOW severity.

Scope

The source code was delivered to Code4rena in a private Git repository.

Severity Criteria

C4 assesses the severity of disclosed vulnerabilities based on three primary risk categories: high, medium, and low/non-critical.

High-level considerations for vulnerabilities span the following key areas when conducting assessments:

  • Malicious Input Handling
  • Escalation of privileges
  • Arithmetic
  • Gas use

For more information regarding the severity criteria referenced throughout the submission review process, please refer to the documentation provided on the C4 website, specifically our section on Severity Categorization.


Low Risk Findings (1)

[L-1] Delta logic could be sidestepped if address that can pull tokens is added

Impact

        require(_tokenDestinations.add(_dst), "Destination already added");

Risk of sidestep if a contract that can pull tokens is added:

Explanation

Since the fallback uses a delta balances

    uint256 diff = oldBalance.sub(newBalance);
    usedAmount = usedAmount.add(diff);

Pulling tokens that are approved will completely sidestep this mechanism and will allow moving all tokens before they are vested.

NOTE

This will be safe when using MoxieBondingCurve and SubjectFactory and EasyAuction as the only _tokenDestinations

Additional instances

The tokenManager could also offer the same vector:

        address subjectToken = tokenManager.tokens(_subject);

Moxie

Acknowledged

C4 Pro League

Informational

Disclosures

C4 is an open organization governed by participants in the community.

C4 audits incentivize the discovery of exploits, vulnerabilities, and bugs in smart contracts. Security researchers are rewarded at an increasing rate for finding higher-risk issues. Audit submissions are judged by a knowledgeable security researcher and solidity developer and disclosed to sponsoring developers. C4 does not conduct formal verification regarding the provided code but instead provides final verification.

C4 does not provide any guarantee or warranty regarding the security of this project. All smart contract software should be used at the sole risk and responsibility of users.