Dreams Quest
  • Overview
  • Legal Disclaimer
  • Audit Results
    • DreamQuest Token
      • About
      • BEP-20 Compatibility
      • Privilege Functions
      • Findings
    • Vesting Contract
      • Findings
  • Summary
Powered by GitBook
On this page
  • Issue 01
  • Issue 02
  • Issue 03
  • Issue 04
  • Issue 05
  • Issue 06
  • Issue 07
  • Issue 08
  • General Notes
  1. Audit Results

Vesting Contract

Issue 01

Type

Severity

Location

Status

Owner Capabilities

High

addInvestor

Description

The owner of the contract can call addInvestor which will add an address to the vesting contract. The vesting contract is minting tokens for each investor, therefore the team can use this ability to mint tokens.

Recommendation

Our recommendation is to transfer the ownership to a timelock contract in order to delay the execution of such methods or to mint all tokens beforehand and remove minting functionality from the vesting contract.

Issue 02

Type

Severity

Location

Status

Best Practice

Informational

_calculateUnlockedTokens

Resolved

Description

This function calculates the amount of unlocked tokens for investor.

Recommendation:

Consider making this function public in order to have a way for investors to get the amount of tokens unlocked.

Issue 03

Type

Severity

Location

Status

Best Practice

High

global variables

Resolved

Description

isFinalized unused.

Recommendation

Remove unused variables and functions from the code to save on gas fees and storage.

Issue 04

Type

Severity

Location

Status

Best Practice

Medium

withdrawTokens

Resolved

Description

The function withdrawTokens mint tokens for the investor.

Consider adding a sanity check that checks the investor didn't withdraw more than the initial allocation in this function.

Issue 05

Type

Severity

Location

Status

Logical Issue

Informational

startTime

Resolved

Description

startTime is not accurate since the starting time is _initialTimeStamp.

Recommendation

consider changing the return value in getInvestorStartTime to the initial timestamp.

Issue 06

Type

Severity

Location

Status

Gas Optimization/Best Practice

Informational

startTime

Resolved

Description

The variable _totalAllocatedAmount is not used in the code, and is declared as private.

Recommendation

Consider making it public.

Issue 07

Type

Severity

Location

Status

Best Practice

Informational

getInitialTimestamp

Resolved

Description

getInitialTimestamp is not called in the contract.

Recommendation

Consider declaring it external to save on gas fees.

Issue 08

Type

Severity

Location

Status

Logical Issue / Gas Optimization

Informational

_calculateUnlockedTokens

Resolved

Description

   require(
            investor.withdrawnTokens <= investor.tokensAllotment,
            "withdrawTokens: investor has already withdrawn all available balance"
        );

This require statement should make sure the withdrawn amount of tokens is strictly lower than the allotment not lower equal to.

General Notes

  1. Consider adding a function that will return useful data for investors in one call - for example, total allocation, amount of unlocked tokens, next unlock time, end of cliff timestamp and end of vesting timestamp.

  2. From our experience, investors don't expect vesting contracts to mint tokens this can create a scenario where less tech-savvy users won't understand the tokenomics and why tokens keep being minted from different contracts. We strongly recommend to mint all vested tokens before vesting starts and simply distributing them in the vesting contract.

  3. Consider adding a way to edit vesting data before vesting starts (when not initialized).

PreviousFindingsNextFindings

Last updated 3 years ago