Open in app

Sign in

Write

Sign in

SpiritDAO Presale Contract Review

IndyZa
6 min readDec 19, 2021

--

Review Date: 20 Dec 2021 20.32 UTC

Disclaimer: This is not an audit of any kind. Please do not call my code review an audit. These reviews are for entertainment & education purpose only and are not financial advice.

Basic Information

Contract Address: https://snowtrace.io/address/0x730FcE90820a010c764c2066686d62ac263BFd6A#code

Owner Address (Normal Wallet): https://snowtrace.io/address/0x54f2bc4647b06c96bf645c918e1dcf51d76b5bc7

DAO Address (Gnosis Multi-Sig Wallet): https://snowtrace.io/address/0x904403702a229e57902a1e9a9648195ab56de7ae#code

alphaSPRT (alphaSpirit) Token Address: https://snowtrace.io/address/0xbd028a905e0509ece047fa84b72890f12090c119#code

This is review before the presale open and based the chat in discord:
https://discord.com/channels/918449620189855824/918459688755023912/922207033862787132

Message from Admin in SpiritDAO discord

Interesting Point

1. The presale contract ownership is not renounced.

2. DAOAddress can not be altered by any means after the creation of the contract.

Contract Creation Value (Constructor)

3. Owner of the contract and DAO Address is different. Owner control all the action on the presale contract while DAO Address only use for storing purchased funds.

DAO Address is a Gnosis Multi-Sig Wallet with 3/3 policy, meaning all 3 address will need to sign/agree to use a transaction.

3 Signer for DAO Address consist of
0x0706B9C6A42E84ACc6aBA96A94C07D4Bf7123245 ,
0x54f2bc4647b06C96BF645c918E1dcf51D76b5bc7 ,
0xD306A1C88e4cB8128D78BD5E55e7eb51F2D0b420

Having full signature or 3/3 in this case would also means if one of them don’t sign, no action can happen, a double edge sword.

For instance, the team is trying to rug and other signature refused. Your funds will still be stuck forever and will never be able to get back with this contract, unless all signed.

User should always make sure that the address belong to the intended person and should ask for evidence to avoid a “one person multiple wallet” situation

4. initialize function can only be use by the owner at anytime. These are the value that the owner can set
- alphaSPRT address (alphaTOKEN) = 0xbd028a905e0509ece047fa84b72890f12090c119
- mim address (mim) = 0x130966628846bfd36ff31a822705796e8cb8c18d
- minimum buy amount per user (minAmount) = 500 MIM or 500000000000000000000
- maximum buy amount per user (maxAmount) = 1,200 MIM or 1200000000000000000000
- total amount of MIM for this presale (totalAmount) = 360,000 MIM or 360000000000000000000000
- sale price of the alphaSPRT token (salePrice) = 10 MIM per alphaSPRT
- max amount of purchasable token in public sale (remainingPurchasesMaxAmt) = 500 MIM or 500000000000000000000

Value display above are value at the time of writing this.

Since this can be change at anytime by the owner, I would advised the user who wish to purchase this to check these value before purchasing here

initialize function

Similarly setAllocation function also allow the owner to alter the minAmount and maxAmount at anytime.

setAllocation function

5. purchase function can be user by user to purchase a desire amount of MIM in exchange for alphaSPRT, this can only be use ONCE.

In order to use this function the user must be
- whitelisted at the time of private sale or not whitelist at public sale (public sale will be trigger manually by the owner using togglePublicSale function)
- have not bought before
- the sale has started by the owner (openIDO)

When the user purchase, the contract will transfer MIM from the user address to the DAO Address, then record if the user have already bought and how much they buy. The contract then send alphaSPRT token to the user at the same value purchase.

The amount user can buy are not the same in private and public presale which user need to choose one of the two. Both will have the exchange price at 10 MIM per alphaSPRT.
In private sales, max allocation are 1,200 MIM per user.
In public sales, max allocation are 500 MIM per user.

purchase function.

6. whitelistUsers and unwhitelistUsers function can only be use by the owner at anytime. This allow owner to add and remove address from the whitelist.

whitelistUsers and unwhitelistUsers function

7. alphaSCRT token Contract is not renounced. The owner can mint unlimited alphaSCRT token at anytime.

mint function in AlphaSpirit.sol

8. (Bonus) This contract has a lot of similarity to ICEDAO presale contract see if you can catch it. (Hint: look at the purchase function)

ICEDAO Presale Contract Review
https://medium.com/@indyza/icedao-presale-contract-review-cf3feee904f3

SpiritDAO Presale Contract (Left), ICEDAO Presale Contract (Right)

Closing Thought

  1. This is a contract where there is no withdrawal function and the owner nor anyone can withdraw anything out of the contract. The main caveat is that the funds is sending directly to the DAOAddress which is currently a MultiSig address of 3/3 (3 sign out of 3 to approve).

    Using a 3/3 also means that all need to agree which can lead to indecisive action or possibility of FUND stuck forever if only 1 address doesn’t agree.
    So ONLY INVEST IF YOU TRUST THE DEVELOPER.
  2. There is a risk of infinite minting of alphaSPRT by the owner and exchange it to SPRT since Multi-sig does not hold ownership for the token address.
    This can cause a possible hard/soft rug in the future, if handle improperly during the alphaSPRT to SPRT claiming process.
  3. There is a risk of owner changing critical value such as sales price during presale launch with initialize function.
  4. There is a risk of alphaSPRT becoming useless if alphaSPRT to SPRT contract is not deployed. Since it does not exist yet.
  5. Overall this is a simple contract with incomplete usage of multi-sig for crucial contract with the risk mention above.

Possible Rug Route

Here we demonstrate a possible way to hard-rug with this contract

  1. Let people buy alphaSPRT in exchange of MIM with purchase function
  2. Deploy OHM fork normally and allow claiming of alphaSPRT to SPRT for any user.
  3. Owner convince Multi-sig to create a liquidity for alphaSPRT-MIM or SPRT-MIM and put MIM in treasury like you would normally do.
  4. Owner use unlimited minting of alphaSPRT via token minting exchange it for SPRT and dump the whole market.

Here we demonstrate a possible way to soft-rug with this contract

  1. Let people buy alphaSPRT in exchange of MIM with purchase function
  2. Deploy OHM fork normally and allow claiming of alphaSPRT to SPRT for any user.
  3. Owner convince Multi-sig to create a liquidity for alphaSPRT-MIM or SPRT-MIM and put MIM in treasury like you would normally do.
  4. Owner use unlimited minting of alphaSPRT via token minting to another address exchange it for SPRT then gradually dump minted SPRT to the market.

Here we demonstrate a possible way to stuck-rug with this contract

  1. Let people buy alphaSPRT in exchange of MIM with purchase function
  2. Something happen and one of the signer address in multi-sig refuse to approve for transaction.
  3. Fund stuck forever in the mult-sig wallet

*Stuck-rug means funds stuck forever in an address.

If this helpful to you, you can tip me here
Tip Address [ERC20/BSC/AVAX(C-chain)/Polygon/FTM]
0xC1f2154ea0B0E5779Ff84bb11A5ed209Fd0741DF

Follow me in Twitter: https://twitter.com/indyza_

Join Olympians Discord for discussion and code review request in (#🛠│code-talk): https://discord.gg/ucQwJZEmwa

Spiritdao
Dao
Presale
Contract Review
Crypto

--

--

IndyZa

Written by IndyZa

289 Followers

Crypto Story and stuff

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams