Assessment reportsPublic findings
Back to Zellic site
Assessment reports>SAX>Threat Model>Function: createToken(string hashtag, address recipient, uint16 viralityScore)
GeneralOverview
Findings
High (1)
Medium (1)
Informational (1)
DiscussionUnused and redundant fields of structures Checks-effects-interactions patternRedundant if conditions in `getSellPrice` functionCentralization riskInitial mint sellableToken creator can set viralityIncomplete test coverageToken share rounding errors
Threat ModelWhat are threat models?
BondingViralityController.solFunction: buyTokens(address token, uint256 amount)Function: createToken(string hashtag, address recipient, uint16 viralityScore)Function: sellTokens(address token, uint256 amount)
MerkleTokenShare.sol
Audit ResultsSummary

Function: createToken(string hashtag, address recipient, uint16 viralityScore)

The function allows to deploy the TrendingERC20 contract related to some hashtag string. Tokens should only be created for unique hashtags.

Inputs

  • hashtag

    • Validation: registeredHashtags[hashtagLowercase] — the hashtag should not be already registered.

    • Impact: The hashtag for which the new TrendingERC20 contract will be deployed.

  • recipient

    • Validation: No validation.

    • Impact: The recipient of the initial supply of tokens.

  • viralityScore

    • Validation: No validation.

    • Impact: The initial virality score.

Branches and code coverage (including function calls)

Intended branches

  • The token related to the hashtag was successfully deployed.

Negative behavior

  • The hashtag is already registered.

  • The hashtag is already registered and in uppercase.

  • The caller is not an owner and allowed caller, and allowCreateTokens is false.

  • The caller is not an owner and allowed caller, and allowCreateTokens is true but user does not own enough TrendingERC20 to burn.

Function call analysis

  • _toLower(hashtag)

    • External/Internal? Internal.

    • Argument control? hashtag.

    • Impact: The function lowercases the string to ensure the uniqueness of the token.

  • _verifyPermissions(_msgSender())

    • External/Internal? Internal.

    • Argument control? N/A.

    • Impact: The function validates that the caller is the owner of the contract, or an allowed address from the _allowlist; or if the function is available to everyone, that the caller has burned the required number of other TrendingERC20 tokens.

  • new TrendingERC20(address(this), hashtag, hashtag)

    • External/Internal? External.

    • Argument control? hashtag.

    • Impact: Creates new token contract related to the hashtag.

  • token.mint(recipient, initialSupply)

    • External/Internal? External.

    • Argument control? recipient.

    • Impact: Mints the initial supply amount of tokens.

Zellic © 2024Back to top ↑