Add warning about trading tokens before refundable crowdsale goal is …

…met (#1452) This attack was reported in OpenZeppelin/openzeppelin-contracts#877
ninjacrypto · Oct 19, 2018 · 1cb37ae · 1cb37ae
1 parent 42ad14f
commit 1cb37ae
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/contracts/crowdsale/distribution/RefundableCrowdsale.sol b/contracts/crowdsale/distribution/RefundableCrowdsale.sol
@@ -8,6 +8,19 @@ import "../../payment/escrow/RefundEscrow.sol";
  * @title RefundableCrowdsale
  * @dev Extension of Crowdsale contract that adds a funding goal, and
  * the possibility of users getting a refund if goal is not met.
+ * WARNING: note that if you allow tokens to be traded before the goal 
+ * is met, then an attack is possible in which the attacker purchases 
+ * tokens from the crowdsale and when they sees that the goal is 
+ * unlikely to be met, they sell their tokens (possibly at a discount).
+ * The attacker will be refunded when the crowdsale is finalized, and
+ * the users that purchased from them will be left with worthless 
+ * tokens. There are many possible ways to avoid this, like making the
+ * the crowdsale inherit from PostDeliveryCrowdsale, or imposing 
+ * restrictions on token trading until the crowdsale is finalized.
+ * This is being discussed in 
+ * https://github.com/OpenZeppelin/openzeppelin-solidity/issues/877
+ * This contract will be updated when we agree on a general solution
+ * for this problem.
  */
 contract RefundableCrowdsale is FinalizableCrowdsale {
   using SafeMath for uint256;