{"posts":[{"id":19813,"title":"$OVR token: Clarification on GoPlus alerts","excerpt":"There are currently two security alerts reported by GoPlus on the $OVR token. Seen out of context, these might be quite worrying. We\u2019d like to clarify and correct this error.\u00a0 The background GoPlus runs automated analytics on token smart contract codes and functions that, by design, do not take into account the structure controlling the […]","content":"

There are currently two security alerts reported by GoPlus<\/a> on the $OVR token. Seen out of context, these might be quite worrying. We\u2019d like to clarify and correct this error.\u00a0<\/strong><\/p>\n

The background<\/b><\/h3>\n

GoPlus runs automated analytics on token smart contract codes and functions that, by design, do not take into account the structure controlling the ERC-20 token smart contract. There\u2019s a reason for that: While controls on the ERC-20 token standard can be automated, controls on arbitrary smart contract structures controlling the ERC-20 token itself cannot be automated.<\/span><\/p>\n

Unfortunately, such a configuration leads to an incorrect representation of the risks on all of the projects based on an IBCO-released token. In fact, <\/span>the same alerts also affect the Avegotchi token $GHST<\/span><\/a>.<\/span><\/p>\n

We notified GoPlus of the issue but the report has not been updated.<\/span><\/p>\n

Technical deep dive<\/b><\/h3>\n

GoPlus simply checks if the ERC-20 contract is mintable or not \u2013\u00a0if it has the capability to mint and burn tokens in wallets. Yet GoPlus <\/span>does not take into account<\/b> who is the owner of the ERC-20 contract, therefore who can use the capability of minting or burning tokens.\u00a0<\/span><\/p>\n

In the case of OVER \u2013 and also Aavegotchi \u2013\u00a0 it is the IBCO smart contract that owns this property and <\/span>such ownership cannot be changed<\/b>.\u00a0<\/span><\/p>\n

IBCO smart contracts are based on the Aragon Black Framework that has been <\/span>audited by Consensys<\/span><\/a>. Not to mention that both <\/span>in the case of OVER<\/span><\/a> and <\/span>Aavegotchi<\/span><\/a>, the IBCO contracts are currently stopped for good.<\/span><\/p>\n

If you\u2019re not familiar with the IBCO and on how and why it mints and burns tokens you can refer to <\/span>this article<\/span><\/a> and our <\/span>White Paper<\/span><\/a>.<\/span><\/p>\n

The former statements can also be verified by directly checking OVER smart contracts. ONLY the BatchedBancorMarketMaker contract (IBCO) can mint and burn tokens and there is no possibility to change this behavior.<\/span><\/p>\n

Inspecting the OVR ERC-20 Smart contract: https:\/\/etherscan.io\/address\/0x21bfbda47a0b4b5b1248c767ee49f7caa9b23697#readContract#F5<\/span><\/p>\n

The owner of the OVR ERC-20 is the address of the IBCO smart contract (BatchedBancorMarketMaker): 0x8c19cf0135852ba688643f57d56be72bb898c411<\/span><\/p>\n

Browsing the source code of that smart contract: <\/span>https:\/\/etherscan.io\/address\/0x8c19cF0135852BA688643F57d56Be72bB898c411#contracts<\/span><\/a><\/p>\n

The only call to burn the OVR tokens happens when someone opens a sell order to then claim DAI (collateral):<\/span><\/p>\n

\"\"<\/p>\n

Line 731 of the BatchedBancorMarketMaker.sol<\/span><\/h6>\n

Finally, the owner of the smart contract itself can\u2019t call the burn function. As one can see by checking on the write calls, such a function simply does not exist: <\/span>https:\/\/etherscan.io\/address\/0x8c19cF0135852BA688643F57d56Be72bB898c411#writeContract<\/span><\/a><\/p>\n

If you have additional questions or doubts about this issue please reach us on the official Telegram and Discord channels.<\/b><\/p>\n","permalink":"ovr-token-clarification-on-goplus-alerts-2","date":"2023-10-26 00:00:00","image_small":"https:\/\/blog.ovr.ai\/wp-content\/uploads\/2024\/02\/blog_over_token_1920x1080_v1-150x150.jpg","image_medium":"https:\/\/blog.ovr.ai\/wp-content\/uploads\/2024\/02\/blog_over_token_1920x1080_v1-300x169.jpg","image_large":"https:\/\/blog.ovr.ai\/wp-content\/uploads\/2024\/02\/blog_over_token_1920x1080_v1-1024x576.jpg","image_full":"https:\/\/blog.ovr.ai\/wp-content\/uploads\/2024\/02\/blog_over_token_1920x1080_v1.jpg","single_url":"https:\/\/blog.ovr.ai\/es\/ovr-token-clarification-on-goplus-alerts-2\/","translations":{"en":{"single_url":"https:\/\/blog.ovr.ai\/ovr-token-clarification-on-goplus-alerts\/","permalink":"ovr-token-clarification-on-goplus-alerts"},"fr":{"single_url":"https:\/\/blog.ovr.ai\/fr\/jeton-ovr-clarification-sur-les-alertes-goplus\/","permalink":"jeton-ovr-clarification-sur-les-alertes-goplus"},"es":{"single_url":"https:\/\/blog.ovr.ai\/es\/ovr-token-clarification-on-goplus-alerts-2\/","permalink":"ovr-token-clarification-on-goplus-alerts-2"},"tr":{"single_url":"https:\/\/blog.ovr.ai\/tr\/ovr-tokeni-goplus-uyarilarina-iliskin-aciklama\/","permalink":"ovr-tokeni-goplus-uyarilarina-iliskin-aciklama"},"zh":{"single_url":"https:\/\/blog.ovr.ai\/zh\/ovr-token-clarification-on-goplus-alerts-3\/","permalink":"ovr-token-clarification-on-goplus-alerts-3"}}}]}