Review Date: 1 Dec 2021 19:06 UTC
Note: This only cover Presale Contract and Token it does not include things like token migrator which is not deployed at the time of writing this.
Basic Information
Contract Address: https://snowtrace.io/address/0xE0F59F14fdB367AA6ec79964EFcB519Bb94F9809#code
Owner Address: https://snowtrace.io/address/0xc19e4f161e373b294a918bcf44a3e81823493c66
DAO Address: https://snowtrace.io/address/0x0061f0a9e104e058299a7336190dfc8a382276dd#code
alphaICE Address: https://snowtrace.io/address/0xef3a9b48be8f89847ebda13dd47cc37151d525fc#code
Interesting Point
1. Ownership is not renounced.
2. purchaseICE function is use for trading MIM for alphaICE which can be used for both whitelist and non-whitelist which can only be done once per address. You can only buy if the sales is set to start and only after the sales start time which is set by the owner.
For whitelist: They can buy from min to max value designated by minAmount and maxAmount during start timestamp and end timestamp. They can also choose not to participate in the whitelist.
For non-whitelist: They can buy up to the rate set separately from the whitelisted (remainingPurchasesMaxAmt ) and can only purchase after the whitelist round has ended. (after end timestamp)
When the check is done user then send MIM to the contract, the contract then send the MIM to the DAOAddress immediately and user receive the alphaICE directly from the contract equal to the amount they purchase.
Please keep in mind that the MIM will not be in the contract but in DAOAddress instead which is transfer the moment the trade happen.
3. DAOAddress is a MultiSigWalletWithDailyLimit the code is a fork from gnosis since the whole code is long I’ll just simplify it in easy to understand term.
“The Multi Sig contain 3 address which control this contract that act as a wallet each of the action will need to be confirm by 3 address before executing it. There is also a limit for the amount of time you can make a transaction per day”
These are the 3 Wallet:
0x08155e92dba20e203ec4eb8327d1b06009a0dcd8, 0xaa446e32b8c1f1bb82e6a548c6baf54654ebe911, 0xd306a1c88e4cb8128d78bd5e55e7eb51f2d0b420
4. initialized function is used to setup the contract value compose of
DAOAddressaddress- alphaICE token address
- MIM address
- min/max amount of purchase (
minAmount,maxAmount) - total amount of purchase (
toTalAmount) - sale price of the token (
salePrice) - start/end time of the whitelist sales period (
startTimestamp,endTimestamp). End of whitelist sales - Non-whitelist purchase maxed amount (
remainingPurchasesMaxAmt)
The owner are the only one that allow to call initialize function and owner can be call as many times as the owner wants with no limitation. This means that the owner can change the DAOAddress at any time so if the purchaseICE happen after the new address is set all MIM will be transfer to that wallet.
Closing Thought
1. This is a contract where there is no withdrawal function and the owner nor anyone can withdraw anything out of the contract. The main caveat is that the funds is sending directly to the DAOAddress which is currently a MultiSig address of 3/3 (3 sign out of 3 to approve). BUT the problem is that the initialized function can be used by the owner to manipulate the DAOAddress then redirect the fund to somewhere else without the consent of the MultiSig wallet. Using a 3/3 also means that all need to agree which can lead to indecisive action or possibility of FUND stuck forever if only 1 address doesn’t agree.
So ONLY INVEST IF YOU TRUST THE DEVELOPER.
3. This is a great example where having a Multi Sig does not guarantee 100% safety, it solely depend on how it is programed or if there is a higher authority/exploit behind it.
3. The receive alphaToken can not be minted by anyone. The minting process happen only once at the contract creation of 30,000 tokens and sent to the creator. This also means that there will be no LP pool (like aROME case) unless the user provide it themselves.
4. Overall this is a simple implementation of presale which have both good and bad with the usage of Multi Sig but with possible exploit mention above.
Possible Rug Route
Here we demonstrate a possible way to rug with this contract
- Wait for first few people to deposit the MIM with
purchaseICEfunction - Owner use initialize function and change the
DAOAddressto themselves - All MIM trading via
purchaseICEafter 2. will be send to owner wallet
If this helpful to you, you can tip me here
Tip Address [ERC20/BSC/AVAX(C-chain)/Polygon/FTM]0xC1f2154ea0B0E5779Ff84bb11A5ed209Fd0741DF
Follow me in Twitter: https://twitter.com/indyza_
Join Olympians Discord for discussion and code review request in (#🛠│code-talk): https://discord.gg/MXpgrqtgzH
