Audit Notes: StormX

# Audit Notes: StormX **Auditor:** Jake Bunce **Client: StormX** https://stormx.io/ https://github.com/stormxio/governance-token `cd7d902` ## Whitepaper & specification about the project Project is a governance token. ## Review of the protocol/implementation **[1] Unlocked Pragma** **Files Affected:** [`contracts/Governance.sol`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol) **Severity: Low** Default AL text. **Recommendations:** Default AL text. **[2] Redundant constructor code** **Files Affected:** [`contracts/Governance.sol`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol) **Severity: Informational** [`initialize()`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol#L16) calls [`__Governance_init()`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol#L33) with the same arguments passed to [`initialize()`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol#L16). This can be better implemented with a single upgradable constructor. **Recommendations:** Use a single `initialize()` function to handle the initialization of contract variables at deployment time. **[3] Constructor argument verification** **Files Affected:** [`contracts/Governance.sol`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol) **Severity: Low** [`initialize()`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol#L16) does not emit an event with the arguments supplied at deploy time. This is useful to verify the intended arguments are in use within the contract. **Recommendations:** Emit an event after the arguments are used in the contract, or introspect the variables from the deployment tooling. **[4] Voting can be manipulated** **Files Affected:** [`contracts/Governance.sol`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol) **Severity: High?** [`lock()`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol#L72) does not implement a timer to denote the lock period. This means there is the scope for abuse of voting in the following scenario: 1) A snapshot vote is created 2) A malicious user buys the governance token on the open market 3) The malicious user uses the recently purchased tokens to vote on the snapshot 4) The tokens are then sold back to the market by the malicious user In this scenario the vote is no longer reflective of the governance community and has been swayed by the malicious actor. **Recommendations:** Consider the impact of the maniuplation of governance voting and whether this is a desirable attribute of the governance token. If it is not desirable, one way to mitigate this scenario is to implement a timer on the locked tokens where a voter may only vote while the tokens are locked and the lock period is greater than the snapshot vote period. **[5] Unbounded loop may exhaust gas** **Files Affected:** [`contracts/Governance.sol`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol) **Severity: Low** [`transfers()`](https://github.com/stormxio/governance-token/blob/master/contracts/Governance.sol#L125) does not check the length of the arrays passed. Arrays with a very large number of elements could cause this function to revert due to exceeding the block size during execution. **Recommendations:** Consider adding an upper bound to the length of arrays passed into this function to ensure it will always complete.