Auditing firm

Least Authority (https://leastauthority.com)

Audit report

Target Code and Revision

Scope:

https://github.com/FundRequest/vesting-wallets/tree/master/contracts

Third party vendor code is considered out of scope.

Git revision

4ae4191a32f83017eb0502b5b333b7ec44f88046

Findings

The FundRequest Vesting Wallet contract is structured clearly and functions as designed. The contract is short and simple and is paired with adequate test coverage. We did find some areas where more defensive programming techniques should be used to prevent usage mistakes that could lead to loss of funds.

ISSUES

Issue A:

Impact : Potential loss of funds

Feasibility : High, can occur with simple typo.

Mitigation : Add require(_percentage <= 100); between lines 98 and 99 in VestingWallet#registerVestingScheduleWithPercentage

Issue B:

Impact : ​Potential loss of funds

Feasibility : High, can occur due to poor internal communication.

Mitigation : Redesign this into an approval flow where a vesting schedule does not become valid/active until a corresponding deposit is made (or there already exists an appropriate deposit).

Issue C:

Impact : Temporary locking of funds with reconciliation workflow possibly leading to additional user input mistakes.

Feasibility : High, can occur with simple typo.

Mitigation : Implement a method that explicitly balances the deposit amount to match the sum of all vesting schedules, refunding the remainder to the owner of the vesting wallet in order to reduce the complexity of recovering from over-deposit and mitigate further mistakes.

RESOLUTIONS

Issue A:

Fix has been implemented. See following pull request.

Issue B:

Fix has been implemented. See following pull request.

Issue C:

We chose not to mitigate Issue C, as we can recover from this issue with a few small steps. The fix to this problem would also impose some extra computation, which we chose not to develop.

Conducted by