Audit Report Polymath Patches For General Transfer Manger, Count Manager And Manual Approval Man

User Manual:

Open the PDF directly: View PDF .
Page Count: 5

Download
Open PDF In Browser	View PDF

Audit Report for Polymath. March 14, 2018.

Summary
This audit has been limited to the patcher applied to release 2.1 of the ​CountTransferManager​,
GeneralTransferManager​ and ​ManualApproveTransfermanager​ contracts of the Polymath
protocol.

Process and Delivery
Three (3) independent Solidified experts performed an unbiased and isolated audit of the below
token swap. The debrief took place on March 14, 2019 and the final results are presented here.

Audited Files
●
●
●
●
●
●
●
●

CountTransferManager.sol
CountTransferManagerFactory.sol
GeneralTransferManager.sol
GeneralTransferManagerFactory.sol
ITransferManager.sol
ManualApprovalTransferManager.sol
ManualApprovalTransferManagerFactory.sol
GeneralTransferManagerStorage.sol

The files were audited on commit ​a8b71e575526284c08803e156ab0c3feca198989​ and solidity
compiler version ​0.4.24

Intended Behavior
The purpose of these contracts is to make general improvements to existing modules

Audit Report for Polymath. March 14, 2018.

Issues Found
Critical
No critical issues were found.

Major
No major issues were found.

Minor
1. Conversion from uint256 to uint64 can overflow
In ​GeneralTransferManager​.sol​ line 227 an ​uint256​ is converted to ​uint64​, this leads to
unexpected behavior when input value doesn’t fit into the ​uint64​ range. This has a high
likelihood to cause problems in the future. For example if some other contract validates input
timestamp is larger than some value before passing them to ​modifyWhitelist​()​ this validation
can be bypassed by passing in a value that will overflow ​uint64​.
Recommendation:
Either change the interface to match ​uint64​ storage format or store ​uint256​.
Amended [18.02.2019]
The issue was fixed and is no longer present in commit
0008f283c1a6cd98555825faffb47979b79968d0​.

Audit Report for Polymath. March 14, 2018.

Notes
2. Approvals array is unbounded
In ​ManualApprovalTransferManager​.sol​ there's an unbounded array, which if grown too
large it can make some operations impossible. We understand the need for that array to be able
to have the ​getActiveApprovalsToUser​()​ function, but it's tradeoffs must be further analyzed.
Polymath's response:
This array is only used within a getter (`view`) function which will be called by an off-chain
process, so gas costs are not relevant.
Amended[18.02.2019]
Solidified agrees with Polymath's and consider this issue fixed.

3. Sanitize inputs
In ​GenerealTransferManager​.sol​, the functions ​changeDefault​, ​changeIssuanceAddress
and ​changeSigningAddress​ don't perform any kind of input sanitization. It could be useful to
prevent some invalid inputs.
Amended [18.02.2019]
The issue was fixed and is no longer present in commit
0008f283c1a6cd98555825faffb47979b79968d0​.

4. ModifyManualApproval has confusing type
ManualApprovalTransferManager​.sol​: the use of integer for ​modifyManualApproval​ for
change direction is confusing. Consider replacing it for a ​bool​ or an ​enum
Amended [18.02.2019]
The issue was fixed and is no longer present in commit
0008f283c1a6cd98555825faffb47979b79968d0​.

Audit Report for Polymath. March 14, 2018.

5. Smaller gas optimizations
ManualApprovalTransferManager:
* Line 199, 200: could be merged into one variable to safe gas
* Line 216: could be removed
* Redundant storage reads in lines 86,87,125,126,266,269,358 and 359. Those could be
optmized to perform only one storage read:
uint256 index = approvalIndex[_from][_to] - ​1​;
​if​ (index != uint256(​-1​)) {
...
}

Amended [18.02.2019]
The issue was fixed and is no longer present in commit
0008f283c1a6cd98555825faffb47979b79968d0​.

6. Improvements on clarity
Consider renaming variables ​toTime​ and ​fromTime​ to ​receiveTime​ and ​sendTime​. This
greatly improves clarity, and will diminish the time one needs to fully understand the smart
contract.
Amended [18.02.2019]
The issue was fixed and is no longer present in commit
0008f283c1a6cd98555825faffb47979b79968d0​.

Audit Report for Polymath. March 14, 2018.

Closing Summary
Although no critical or major issues were found, there are some minor issues that can
affect the desired behavior and it's recommended that they're addressed before
proceeding to deployment.

Disclaimer
Solidified audit is not a security warranty, investment advice, or an endorsement of the
Polymath platform or its products. This audit does not provide a security or correctness
guarantee of the audited smart contracts. Securing smart contracts is a multistep
process, therefore running a bug bounty program as a complement to this audit is
strongly recommended.
The individual audit reports are anonymized and combined during a debrief process, in
order to provide an unbiased delivery and protect the auditors of Solidified platform from
legal and financial liability.
Solidified Technologies Inc.



---

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : Yes
Producer                        : Skia/PDF m75
Page Count                      : 5

EXIF Metadata provided by EXIF.tools