This document is a security audit report performed by RideSolo, where LCX V2 has been reviewed.
- vestingToken.sol github commit hash 3723774ad70151c31743550b9f31af6566cd5031.
2 issues were reported including:
- 2 owner privileges.
Contract owner allow himself to:
- Upgrade the token contract and implement any logic in the new contract:
function setTokenAddress(IERC20 token) public onlyOwner returns(bool){
LCXToken = token;
return true;
}
- Revoke the vesting, and take users tokens for himself even if the tokens were bought by the users using ETH or a different asset.
function revoke(address account) public onlyOwner {
VestedToken storage vested = vestedUser[account];
require(!vested.revoked);
uint256 balance = vested.totalToken;
uint256 vestedAmount = _vestedAmount(account);
uint256 refund = balance.sub(vestedAmount);
require(refund > 0);
vested.revoked = true;
vested.totalToken = vestedAmount;
LCXToken.safeTransfer(owner(), refund);
emit VestingRevoked(account);
}
The audited contract is safe if the owner is trustworthy otherwise the users should be aware of the risks.