- Re-entrancy has been avoided by using
.transfer()
instead of.call.value()
or.send()
which are less secure - Checks-Effects-Interaction has been implemented - First checking Policy .
state == PENDING
, then setting.state = RELEASED
and only then making a.transfer()
call. OpenZeppelin.SafeMath
is used whenever performing any mathematical operations. The only exceptions are for-loop counters which usecounter++
in the for loop anyway, and do not threaten any loss of funds or DoS.- Only Policy owners are allowed to call
force_release
. - Oracle callbacks are authenticated by ensuring that the calling address belongs to Oraclize.
- DoS on Oraclize callbacks is avoided by using
queryIndexes
to ensure that every Oraclize query can only trigger the__callback()
function only once.