The full list of contracts and considered properties can be found in the final audit report.
The DAO voting system itself turned out to be well implemented and of high quality, in its functionality mostly following the previously published Governance whitepaper. A high degree of modularity was achieved in the code base introducing a clear overall structure.
Nonetheless, ChainSecurity managed to uncover several vulnerabilities and propose design improvements. Most notably, an unfortunately still common misuse of the EXTCODESIZE was originally present: Namely, using this opcode to detect that the message sender or transaction initiator is not a contract account, but an externally owned account. Given that such checks can be easily circumvented, this restriction can not be relied upon to enforce proper access control even though there may be benign use cases. For more information of this, we are glad to point to the Smart Contract Best Practices to which ChainSecurity contributed for this issue.
As for the roles present in the DAO system, these distinguish mainly between the Digix administrative roles, initiators of proposals which are to be voted on by other users and finally the voters themselves. An overview of the roles and their conditional rights is provided in the introductory section of the audit report.
Finally, ChainSecurity remarks that all vulnerabilities and issues were professionally and swiftly addressed by the Digix team and we are now curiously following further development and adoption of the project.
About Digix
Digix is one of the world’s first Smart Asset companies and aims to be the leading brand in tokenizing the world’s tangible assets.
Learn more about Digix Dao #here.