From ae339333d7d160f42fae3944033ec53075a6f7ab Mon Sep 17 00:00:00 2001 From: Leo Arias Date: Fri, 19 Oct 2018 17:35:04 -0600 Subject: [PATCH] Add warning about trading tokens before refundable crowdsale goal is met (#1452) This attack was reported in https://github.com/OpenZeppelin/openzeppelin-solidity/issues/877 (cherry picked from commit 80458ebc72f1c7c9695416edbe26690f72e406a0) --- .../crowdsale/distribution/RefundableCrowdsale.sol | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/contracts/crowdsale/distribution/RefundableCrowdsale.sol b/contracts/crowdsale/distribution/RefundableCrowdsale.sol index d670f9ced..9b814cd7d 100644 --- a/contracts/crowdsale/distribution/RefundableCrowdsale.sol +++ b/contracts/crowdsale/distribution/RefundableCrowdsale.sol @@ -8,6 +8,19 @@ import "../../payment/escrow/RefundEscrow.sol"; * @title RefundableCrowdsale * @dev Extension of Crowdsale contract that adds a funding goal, and * the possibility of users getting a refund if goal is not met. + * WARNING: note that if you allow tokens to be traded before the goal + * is met, then an attack is possible in which the attacker purchases + * tokens from the crowdsale and when they sees that the goal is + * unlikely to be met, they sell their tokens (possibly at a discount). + * The attacker will be refunded when the crowdsale is finalized, and + * the users that purchased from them will be left with worthless + * tokens. There are many possible ways to avoid this, like making the + * the crowdsale inherit from PostDeliveryCrowdsale, or imposing + * restrictions on token trading until the crowdsale is finalized. + * This is being discussed in + * https://github.com/OpenZeppelin/openzeppelin-solidity/issues/877 + * This contract will be updated when we agree on a general solution + * for this problem. */ contract RefundableCrowdsale is FinalizableCrowdsale { using SafeMath for uint256;