The Nomic Labs team conducted an audit of the MolochPool contract on version 721443849c8a6d7e64daf6d2910bc4681d42ac06. We found the contract to be short, minimalistic functionally, and with no security issues.
Low severity issues
[MOL2-L01] A newly deployed
MolochPool can be activated by an attacker
MolochPool contract requires two transactions. The first one deploys the contract, and the second one activates it.
An attacker could detect a MolochPool being deployed and call
MolochPool#activate before the person performing the deployment, setting arbitrary parameters.
The only impact of this attack is that the deployer would be forced to redeploy the
Other comments and recommendations
[MOL2-O01] Most require calls don’t have a
Most require calls in the
MolochPool contract don’t have
revert reasons. Consider adding them before the deployment, as they would make working with it easier.
[MOL2-O02] State-modifying actions don’t emit events
Consider adding events to the
MolochPool contract to make monitoring it easier.
MolochPool#currentProposalIndex’s name can be confusing
This variable name seems to indicate that it keeps track of the last synced proposal but contains the index of the next proposal to sync instead. A better name could be