Makerspace2 Audit Notes

# Makerspace2 Audit Notes **Auditor:** Jake Bunce **Client:** Makerspace https://makersplace.com/ https://github.com/yashh/collection **Commit:** `22adc58e89e79a294c061e0d1ca54ffeebd9b0c6` # Files in Scope `contracts/CollectionCore.sol` ## Whitepaper & specification about the project Whitepaper: None ## Review of the protocol/implementation **[1] Total supply can be higher than tokens minted** **Files Affected:** `contracts/CollectionCore.sol` **Severity: Low** There is a [check](https://github.com/yashh/collection/blob/master/contracts/CollectionCore.sol#L50) for the `_totalSupply` to be greater than 0, however the deployer could pass a non-zero value here which would not represent the true number of tokens minted. **Recommendations:** As zero tokens will have been minted at deploy time, this check can be `require(_totalSupply = 0, "supply != 0");` **[2] Royalty fees cannot be changed** **Files Affected:** `contracts/CollectionCore.sol` **Severity: Low** The variable `royaltyPercentage` is set at deploy time but can subsequently never be changed. **Recommendations:** Either allow the modification of this parameter or make it clear in user documentation that the royalty fee is fixed and cannot be changed. **[3] No event emitted on deployment** **Files Affected:** `contracts/CollectionCore.sol` **Severity: Low** The constructor does not emit an event when it has been called. This is useful for monitoring post-deployment which arguments were passed and validation of correct parameters. **Recommendations:** Emit an event with the constructor arguments at deploy time. **[4] Implementation of OBO Operator List** **Files Affected:** `contracts/CollectionCore.sol` **Severity: Medium** [`isApprovedForAll`](https://github.com/yashh/collection/blob/master/contracts/CollectionCore.sol#L130) is a check for an oboApproval list for the event of an OBO operator being compromised. A better implementation of this is to use a multisig account where there are defined patterns for user management for this specific event. **Recommendations:** Use a multisig wallet where users can be added and removed and avoid defining this yourselves.