/Reach - Diff 2
Summary
The /Reach team developed a platform around discord bots to help creators drive high-quality user traffic and engagement toward their social media content. For a fee, a creator can create "missions" on the /Reach platform to promote their content to a targeted group of users. Accordingly, the users are incentivized to engage with the content with the potential to earn rewards (e.g. ETH) based on their contributions. Quantstamp conducted the audit with three auditors working independently on a best-effort basis. This audit only concerns the changes in the following files `ReachFactory.sol`, `ReachMainDistribution.sol`, and `ReachAffiliateDistribution.sol` between the commits `f6f97b8` and `4c189ba`. One major technical aspect of these contracts is the use of Merkle proofs to allow users to claim their accrued rewards on the /Reach platform. However, the operations around calculating the Merkle root and uploading them to the contract are performed off-chain, which is out of the scope of this audit. A particular caveat to note is that the contract may not have enough funds for all users to claim, even if they have the correct Merkle proof, as stated in REA-4. Our team identified issues of various levels of severity, including 1 high-severity issue and 4 medium-severity issues. Furthermore, the test suites show the current branch coverage can be improved (at around 46% for the files in scope). We recommend projects to have at least 90% branch coverage. The team should increase the coverage with more extensive test cases as well as provide more technical documentation to the public before deployment. **Update**: We would like to praise the /Reach team for being very responsive and helpful throughout this audit and the fix review process. All issues in the report are promptly fixed or acknowledged by the team.
Issues (19)
Low | Medium | High | Critical | Total | |
|---|---|---|---|---|---|
Not fixed | 2 | 3 | - | - | 5 |
Fixed | 12 | 1 | 1 | - | 14 |
| Total | 14 | 4 | 1 | 0 | 19 |