Summary
The DAO voting system itself turned out to be well implemented and of high quality, in its functionality mostly following the previously published Governance whitepaper. A high degree of modularity was achieved in the code base introducing a clear overall structure.
Nonetheless, ChainSecurity Ltd managed to uncover several vulnerabilities and propose design improvements. Most notably, an unfortunately still common misuse of the EXTCODESIZE was originally present: Namely, using this opcode to detect that the message sender or transaction initiator is not a contract account, but an externally owned account. Given that such checks can be easily circumvented, this restriction cannot be relied upon to enforce proper access control even though there may be benign use cases. For more information of this,we are glad to point to the Smart Contract Best Practices to which ChainSecurity Ltd contributed for this issue.
As for the roles present in the DAO system, these distinguish mainly between the Digix administrative roles, initiators of proposals which are to be voted on by other users and finally the voters themselves. An overview of the roles and their conditional rights is provided in the
introductory section of the audit report.
Finally, ChainSecurity Ltd remarks that all vulnerabilities and issues were professionally and swiftly addressed by the Digix team and we are now curiously following further development and adoption of the project.
About Digix
Digix is one of the world’s first Smart Asset companies and aims to be the leading brand in tokenizing the world’s tangible assets.
Learn more about Digix Dao at https://digix.global/dgd/
We are extremely pleased with our choice. All the security auditors were great to work with and their services were professionally conducted. I would recommend ChainSecurity Ltd to anyone looking for top notch secure solutions for blockchains and smart contracts.
Shaun Djie, COO