The Nomic Labs team conducted an audit of the MolochPool contract on version 721443849c8a6d7e64daf6d2910bc4681d42ac06. We found the contract to be short, minimalistic functionally, and with no security issues.

Audit Results

Low severity issues

[MOL2-L01] A newly deployed MolochPool can be activated by an attacker

Deploying a MolochPool contract requires two transactions. The first one deploys the contract, and the second one activates it.

An attacker could detect a MolochPool being deployed and call MolochPool#activate before the person performing the deployment, setting arbitrary parameters.

The only impact of this attack is that the deployer would be forced to redeploy the MolochPool contract.

Other comments and recommendations

[MOL2-O01] Most require calls don’t have a revert reason

Most require calls in the MolochPool contract don’t have revert reasons. Consider adding them before the deployment, as they would make working with it easier.

[MOL2-O02] State-modifying actions don’t emit events

Consider adding events to the MolochPool contract to make monitoring it easier.