There are currently two security alerts reported by GoPlus on the $OVR token. Seen out of context, these might be quite worrying. We’d like to clarify and correct this error.
GoPlus runs automated analytics on token smart contract codes and functions that, by design, do not take into account the structure controlling the ERC-20 token smart contract. There’s a reason for that: While controls on the ERC-20 token standard can be automated, controls on arbitrary smart contract structures controlling the ERC-20 token itself cannot be automated.
Unfortunately, such a configuration leads to an incorrect representation of the risks on all of the projects based on an IBCO-released token. In fact, the same alerts also affect the Avegotchi token $GHST.
We notified GoPlus of the issue but the report has not been updated.
Technical deep dive
GoPlus simply checks if the ERC-20 contract is mintable or not – if it has the capability to mint and burn tokens in wallets. Yet GoPlus does not take into account who is the owner of the ERC-20 contract, therefore who can use the capability of minting or burning tokens.
In the case of OVER – and also Aavegotchi – it is the IBCO smart contract that owns this property and such ownership cannot be changed.
IBCO smart contracts are based on the Aragon Black Framework that has been audited by Consensys. Not to mention that both in the case of OVER and Aavegotchi, the IBCO contracts are currently stopped for good.
If you’re not familiar with the IBCO and on how and why it mints and burns tokens you can refer to this article and our White Paper.
The former statements can also be verified by directly checking OVER smart contracts. ONLY the BatchedBancorMarketMaker contract (IBCO) can mint and burn tokens and there is no possibility to change this behavior.
Inspecting the OVR ERC-20 Smart contract: https://etherscan.io/address/0x21bfbda47a0b4b5b1248c767ee49f7caa9b23697#readContract#F5
The owner of the OVR ERC-20 is the address of the IBCO smart contract (BatchedBancorMarketMaker): 0x8c19cf0135852ba688643f57d56be72bb898c411
Browsing the source code of that smart contract: https://etherscan.io/address/0x8c19cF0135852BA688643F57d56Be72bB898c411#contracts
The only call to burn the OVR tokens happens when someone opens a sell order to then claim DAI (collateral):
Line 731 of the BatchedBancorMarketMaker.sol
Finally, the owner of the smart contract itself can’t call the burn function. As one can see by checking on the write calls, such a function simply does not exist: https://etherscan.io/address/0x8c19cF0135852BA688643F57d56Be72bB898c411#writeContract
If you have additional questions or doubts about this issue please reach us on the official Telegram and Discord channels.