# FlowCarbon-2 Audit Notes **Auditor:** Jake Bunce **Client:** Flow Carbon https://www.flowcarbon.com/ https://github.com/flowcarbon/ **Commit:** `51ae4dc826aca9c245ab466ed8ec192f1e87e831` ## Review of the protocol/implementation **[1] Contract could be left ownerless** **Severity: Low** **Files Affected:** `VestingFactory.sol` This contract inherits from OpenZeppelin's `Ownable` library, which exposes an ABI to renounce ownership of the contract. This could result in the contract accidently being left without an owner should it be called. **Recommendations:** Override the `renounceOwnership()` function with a `revert()` statement to prevent the contract being left without an owner. **[2] Constructor argument events** **Severity: Low** **Files Affected:** `VestingFactory.sol` The [constructor](https://github.com/flowcarbon/dao/blob/main/contracts/VestingFactory.sol#L28) receives arguments at deploy time setting the implementation and token contracts, along with the owner address. When the owner address is set an event is emitted by the OpenZeppelin library, however it is useful for validation of correct parameters set that the other arguments have an event emitted too. **Recommendations:** Emit events for all arguments passed into the constructor. **[3] Unlocked Pragma** **Severity: Low** **Files Affected:** `DAOToken.sol` Default AL text