Space Nation

Summary

Quantstamp audited Space Nations' new ERC-20 token (`OIK`) and a contract to manage airdrops and claimed funds through signatures (`ClaimToken`). Four medium severity issues and several of lower severity have been identified in regards to the `ClaimToken` contract, while only two auditor suggestions related to the ERC-20 token were found. In particular, several of the issues revolve around potential accounting issues when working with multiple different tokens or the overall underlying design of claimable tokens (`tindex`), payers (`pindex`) and internal bookkeeping of already claimed funds and their thresholds. We recommend all identified issues to be addressed before deployment and considering to refactor the token and payer indices to be replaced with direct address mappings or locking once set indices. Further, we strongly recommend adding tests for the `ClaimToken` contract, since only tests for the `OIK` token were provided. **Fix Review**: During the fix review, the client simplified the `ClaimToken` contract, which now relies on valid signatures from the backend system to facilitate claims. Furthermore, these signatures do not expire. As a result, the claim process depends on the backend system to manage distribution correctly, especially since introducing a nonce can lead to transaction order dependence if multiple claims share the same nonce. We added 4 new informational issues (SPA-8 to SPA-11) introduced during the fix review. **Fix Review 2:** The client added a new blacklist feature to prevent users from making claims even after receiving valid signatures. The contract can also invalidate existing signatures using `invalidateUnusedSignature()` or `invalidateUnusedNonce()` to address SPA-9. These new features are introduced after the initial audit, and we strongly recommend adding thorough tests to ensure they work as intended. Overall, we strongly recommend that the client create a test suite for the `ClaimToken` contract before deployment. The tests should include integration with the backend system to enhance coverage and ensure the expected functionality of the claim process.