Security Audit of VaultyFinance TokenVesting (#3.2)

# Security Audit of VaultyFinance TokenVesting (#3.2) ## Conclusion ![](https://i.imgur.com/JcgiBeV.png =100x100) Audit was made by "BlockSec" team by Vladimir Smelov vladimirfol@gmail.com In the final contract were not found: - Backdoors for investor funds withdrawal by anyone. - Bugs allowing to steal money from the contract. - Other security problems. Obvious errors or backdoors were not found in the contract. The client was acknowledged about all secutiry notes below. ![](https://i.imgur.com/rdLQear.jpg =120x120) ## Scope https://github.com/VaultyFinance/contracts `622259f89005d253d951a6422642b4cee9a52a84` - TokenVesting.sol ## Methodology 1. Blind audit. Try to understand the structure of the code. 2. Find info in internet. 3. Ask quiestions to developers. 4. Draw the scheme of cross-contracts interactions. 5. Write user-stories, usage cases. 6. Run static analyzers Find problems with: - backdoors - bugs - math - potential leaking of funds - potential locking of the contract - validate arguments and events - others ## Result ### Critical ### Major #### 1. Return value is ignored - TokenVesting.sol#196 - TokenVesting.sol#220 ##### Recommendation. Use SafeERC20 library. ##### Status. Fixed at `ca2a43c9b59a2b26ac54d36466202a42fcff2835` ### Warning #### 1. Use SafeMath or solidity ^0.8.0. There are a lot of places where you do unsafe substraction. It's easy to miss a mistake. ##### Recommendation. Use SafeMath everywhere or solidity ^0.8.0. ##### Status. Fixed at `ca2a43c9b59a2b26ac54d36466202a42fcff2835` ### Comment #### 1. Use reentryGuard. Use reentryGuard on every external/public method to be sure no reentry will happen. ##### Recommendation. Use reentryGuard. ##### Status. ACKNOWLEDGED #### 2. Deflation tokens support. This is not true for all tokens, that after `transfer(x)` balance will change for `x` tokens, because some contracts burn some tokens on every transfer. There were some hacks in DeFi based on this fact. This is a valid note for all contracts which use any ERC20/BEP20 tokens. ##### Recommendation. Check balances after transfer or add a comment note that such tokens are not supported. ##### Status. ACKNOWLEDGED #### 3. Multiplication on the result of a division. ``` (TokenVesting.sol#128) -daysElapsed = (block.timestamp - lastClaim) / 86400 (TokenVesting.sol#150) daysInPeriodToClaim = daysElapsed (TokenVesting.sol#153-155) tokensAmount = tokensAmount.add(uint256(vestingPeriod.tokensPerDay) .mul(daysInPeriodToClaim)) ``` ##### Recommendation. Place Division after multiplication to increase accuracy. ##### Status. NOT_ISSUE ACKNOWLEDGED #### 4. Methods should be declared external. ``` tokensToClaim(address) should be declared external: - TokenVesting.tokensToClaim(address) (TokenVesting.sol#114-117) ``` ##### Recommendation. make methods `external` to save gas. ##### Status. NOT_ISSUE ACKNOWLEDGED #### 5. Events emited after external calls. Be careful because reentry with other events is possible inside external calls. ``` Event emitted after the call(s): TokensClaimed(_beneficiary,amountToClaim) (TokenVesting.sol#214) ``` ##### Status. ACKNOWLEDGED