Audits
Here are all of the audits our contracts have had over time starting with the most recent.
V0.1 - Launch Audits - February 2020
These audits are based on this Github commit.
Audit 1
Who?
Dan Bogdanov - Former Auditor at Callisto
Findings?
The issues from this report include:
There is no way to remove outdated airdrops. We are aware of this and it will not cause any challenges as Lock would need to manually add hundreds of airdrops for one token before this would become problematic. If we reach 100 airdrops with any token, we will update this code.
If a user sends ETH or ERC-20 directly to the contract, there is no way to return it. We are aware of this. It is the case for many contracts. The gas cost of a fix is not worth it for our users. Please just do not send funds directly to the contract address.
There was an operator error in a smart contract.
This has since been edited.
Audit 2
Who?
Stefan Beyer - Cryptonics
Findings?
The only findings from this report were:
There was an operator error in a smart contract.
This has since been edited.
There is no way to remove outdated airdrops. We are aware of this and it will not cause any challenges as Lock would need to manually add hundreds of airdrops for one token before this could become problematic. If we reach 100 airdrops with any token, we will update this code.
Excessive precision in ETH price value may lead to unwanted reverts.
We agreed with the auditor and introduced a threshold value to allow for rounding impression.
MVP - Launch Audits - December 2019
These audits are based on this Github commit.
Audit 1
Who?
Dan Bogdanov - Former Auditor at Callisto
Findings?
The findings from this report include:
There is no way to remove outdated airdrops. We are aware of this and it will not cause any challenges as would need to manually add hundreds of airdrops for one token before this could become problematic. If we reach 100 airdrops with any token, we will update this code.
If a user sends ETH or ERC-20 directly to the contract, there is no way to return it. We are aware of this. It is the case for many contracts. The gas cost of a fix is not worth it for our users. Please just do not send funds directly to the contract address.
There is no limit on the contract to the amount of time a user can lock their assets. We are aware of this and it is intentional because we do not want to limit our users usability of the platform. However in the first instance of the UI we will limit the maximum possible number of days to lock at 365.
Admin can change the fee charged. We are aware of this and it is a feature, not a bug. Main goals are to have enough funding to continue developing the protocol and take reasonable level of profits for efforts.
Audit 2
Who?
Stefan Beyer - Cryptonics
Findings?
The only two findings from this report were:
We used transfer() method instead of call.value() which has since been updated.
The functions getAirdrops() and _claimAirdroppedTokens() loop over airdrop arrays. Should these arrays grow too large, these transactions will revert because of the block gas limit. This issue is mitigated by the fact that airdrops can only be added by the contract’s owner and can therefore not be exploited for a DoS style attack. However, since there is no way to remove an airdrop, it would be impossible for the contract owner to fix the issue should the array grow too large accidentally. For extra safety, an airdrop removal method should be considered. Lock would need to manually add hundreds of airdrops for one token before this could become problematic. If we reach 100 airdrops with any token, we will update this code.
Last updated