Mavia Token Security Smart Contract Audit

Summary

Quantstamp performed an audit for the Mavia token ERC-20 contract in the linked repository. The Heroes of Mavia token is deployed at the following address: 0x24fcFC492C1393274B6bcd568ac9e225BEc93584 All issues found during the audit have been fixed, or acknowledged as intended behavior. During the audit we were able to identify numerous areas of focus, including: - Abuse of privileged roles - Stolen funds from token holders - Bypassable transfer constraints <br> During the course of the audit, we were able to identify one high-severity and three medium-severity issues. Among them, perhaps the most concerning from the perspective of likelihood and impact is MAV-1, which allows authorized callers to transfer Mavia tokens from any address without explicit approval from the token holder. The three medium-severity issues are all associated with the privileged roles' power in limiting or entirely preventing users from transferring their Mavia tokens. Specifically, the deployer is minted the entire initial supply of four million Mavia tokens, and no further minting can occur. Also, the deployer is granted two privileged roles, which allow the deployer to control circulating tokens and users' ability to transfer and possess tokens. We recommend the client address and consider all the findings in this report. **Update**: The Mavia team has now fixed or sufficiently acknowledged all issues within the report, which has been provided under commit hash 2507fbde3e55137141bcf9f787e2dfda351b96a9. However, the audit team recommends inheriting standardized permit functionality from [ERC20Permit](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC20/extensions/ERC20Permit.sol) for MAV-1 as well as clearly documenting all privileged roles and their actions for MAV-2.

Project