This document is a security audit report performed by RideSolo, where DappVolume Project has been reviewed.
-
dappVolumeAd.sol github commit hash f95df2c546ff2d175adc3854c75e365377ca0ba4.
-
dappVolumeHearts.sol github commit hash 93196a407a039d017d8621a68163f9bd94bcf2bb.
-
dappVolumeProfile.sol github commit hash 2643cc04a0507529fe046520fe342da89a33e5e2.
4 issues were reported including:
-
1 medium severity issue.
-
2 low severity issues.
-
1 minor remark.
Concerning the function updateInvestor member of dappVolumeAd contract, and as advertised in the website "An investor can get bought out by a bigger investor and will get 120% of their investment back".
The implementation of the function doesn't reflect the above mentioned definition. if an investor invests more ethers than investmentMin state variable, and the next investor invests the exact required amount the first investor will not get 120% of his investment back but less (the percentage will depend on its payment).
The opposite is also true, an investor can get more than 120% of his ethers back if the next investor sends more than the required amount.
lastAddress member of dappVolumeHearts contract, is not set in the contructor. This issue lead to lose the first half of the ethers sent using update function member of the same contract.
Half of the ethers sent will go to the address 0x0, however this issue will concern only the first transaction.
Set the lastAddress to the owner address when creating the contract.
In order for a dapp to be advertised the id input for the function updateAd has to be higher than zero (dappVolumeAd contract), the same requirement is not applied in order for a dapp to be liked in function update member of dappVolumeHearts.
https://github.com/dappvolume/smart-contracts/blob/f95df2c546ff2d175adc3854c75e365377ca0ba4/dappVolumeHearts.sol#L82#L88 https://github.com/dappvolume/smart-contracts/blob/f95df2c546ff2d175adc3854c75e365377ca0ba4/dappVolumeAd.sol#L106#L133
In setAccountNickname and setAccountUrl functions members of dappVolumeProfile contract, the use or require to check if the message sender address is different than 0x0 address is unnecessary. This is just adding extra computation and gas consumption since msg.sender cannot be equal to 0x0.
https://github.com/dappvolume/smart-contracts/blob/f95df2c546ff2d175adc3854c75e365377ca0ba4/dappVolumeProfile.sol#L9 https://github.com/dappvolume/smart-contracts/blob/f95df2c546ff2d175adc3854c75e365377ca0ba4/dappVolumeProfile.sol#L15
One medium issue was highlighted, the definition of the investment program of the DappVolume project has to be updated following the updateInvestor function definition.
This contract is safe to be used, but the above mentioned issue can lead to conflict with the investors. The project team has to solve this problem.