Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Refundable Crowdsale #877

Closed
cwhinfrey opened this issue Apr 6, 2018 · 2 comments
Closed

Refundable Crowdsale #877

cwhinfrey opened this issue Apr 6, 2018 · 2 comments
Assignees
@nventuro
Labels
bug contracts Smart contract code.
Milestone
v2.1

Comments

@cwhinfrey
Copy link
Contributor

🎉 Description

The current implementation of RefundableCrowdsale refunds the original purchaser if the goal is not met. However, tokens can be transferred instantly. This opens up refundable crowdsales that do not meet their goal to the following attack:

  1. The attacker purchases tokens from the crowdsale.
  2. The attacker sees that the goal is unlikely to be met and sells the tokens to a naive user (possibly at a discount).
  3. The goal is not met and the attacker's ETH is refunded while the naive user is left with worthless tokens.

This could be prevented by pausing token transfers until the goal is reached or until the crowdsale is finalized.

It is also possible that refunds could be given as tokens are returned but it would greatly complicate the crowdsale when presale allocations and bonuses are involved.

🐛 This is a bug report.
@frangio
Copy link
Contributor

frangio commented Apr 17, 2018

Thanks for the detailed report @cwhinfrey! We will look into it.

@frangio frangio self-assigned this Apr 17, 2018
@frangio frangio assigned shrugs and unassigned frangio May 3, 2018
@shrugs shrugs mentioned this issue May 4, 2018
Closed
4 tasks
@shrugs shrugs added review and removed backlog labels May 7, 2018
@shrugs shrugs added next and removed review labels Jul 15, 2018
@frangio frangio added this to the v1.12.0 milestone Jul 20, 2018
@nventuro nventuro modified the milestones: v1.12.0, v2.0 Jul 27, 2018
@nventuro nventuro added the contracts Smart contract code. label Jul 27, 2018
@nventuro nventuro removed the next label Aug 24, 2018
@frangio frangio modified the milestones: v2.0, v2.1 Sep 18, 2018
@come-maiz come-maiz modified the milestones: v2.0, v2.1 Oct 19, 2018
come-maiz pushed a commit that referenced this issue Oct 19, 2018
Add warning about trading tokens before refundable crowdsale goal is met
df36945 
This attack was reported in #877
@come-maiz come-maiz mentioned this issue Oct 19, 2018
Merged
come-maiz pushed a commit that referenced this issue Oct 19, 2018
Add warning about trading tokens before refundable crowdsale goal is …
80458eb 
…met (#1452)

This attack was reported in #877
come-maiz pushed a commit that referenced this issue Oct 21, 2018
@come-maiz
Add warning about trading tokens before refundable crowdsale goal is …
ae33933 
…met (#1452)

This attack was reported in #877

(cherry picked from commit 80458eb)
@frangio frangio modified the milestones: Test helpers, v2.1 Nov 20, 2018
@frangio frangio assigned nventuro and unassigned shrugs Nov 27, 2018
@frangio
Copy link
Contributor

frangio commented Dec 4, 2018
edited
Loading

Since the suggested change breaks the API (yes we should have done this before 2.0), @nventuro suggested to create a new one that is Refundable + PostDelivery, and to deprecate the current one.

@nventuro nventuro mentioned this issue Dec 6, 2018
Merged
ninjacrypto added a commit to ninjacrypto/openzeppelin-solidity that referenced this issue Aug 24, 2023
@ninjacrypto
Add warning about trading tokens before refundable crowdsale goal is …
1cb37ae 
…met (#1452)

This attack was reported in OpenZeppelin/openzeppelin-contracts#877
ninjacrypto added a commit to ninjacrypto/openzeppelin-solidity that referenced this issue Aug 24, 2023
@ninjacrypto
Add warning about trading tokens before refundable crowdsale goal is …
8a572c9 
…met (#1452)

This attack was reported in OpenZeppelin/openzeppelin-contracts#877

(cherry picked from commit 80458ebc72f1c7c9695416edbe26690f72e406a0)
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@nventuro nventuro

Labels
bug contracts Smart contract code.
Projects
None yet
Milestone
v2.1
Development

Successfully merging a pull request may close this issue.

fix: force RefundableCrowdsale to also be a PostDeliveryCrowdsale shrugs/openzeppelin-solidity
5 participants
@frangio @come-maiz @shrugs @nventuro @cwhinfrey