# Introduction
iosiro was commissioned by [Enhanced Society](https://www.enhancedsociety.com/) to analyse a pull request to identify potential functional and security flaws introduced into the codebase. The analysis was conducted between 24 May 2018 and 25 May 2018.
# Description
The pull request was performed on a fork of the popular TokenMarket [ICO Smart Contract Package](https://github.com/TokenMarketNet/ico). The codebase provides a boilerplate of smart contracts for projects wanting to launch an ICO.
# Scope
The scope of the analysis was limited to changes made in PR [#1](https://github.com/enhancedsociety/ico/pull/1). The specific commits are listed below.
* [Documentation & Whitelist Crowdsale Updates](https://github.com/enhancedsociety/ico/pull/1/commits/9a466224019399661ce432916375ca51184001ab)
* [Whitelist Crowdsale yml](https://github.com/enhancedsociety/ico/pull/1/commits/a0979b620b6f2932b9fdf6d683eb6c2e42490a27)
* [More Updates to Doc](https://github.com/enhancedsociety/ico/pull/1/commits/9ab9e795572fef1de768aec935c40b587f6d3d80)
* [More Updates to Doc](https://github.com/enhancedsociety/ico/pull/1/commits/8bb267274c17e81d86dc6481e9181753c9362081)
* [Updates to populus.json for ropsten network](https://github.com/enhancedsociety/ico/pull/1/commits/002b7b640c63d2cc9226f5f4be840d8ab7f1af72)
* [More Doc Updates](https://github.com/enhancedsociety/ico/pull/1/commits/e3d3b8cf616003dde39d0935301b03dc193135eb)
* [More Doc Updates](https://github.com/enhancedsociety/ico/pull/1/commits/8e896d2be6cc4e37e3441693152b17a3ffc33a42)
*Note: Only the code changes made by Enhanced Society detailed in the links provided above were analysed. The rest of the forked codebase was not assessed.*
# Analysis
A comprehensive list of changes to the smart contracts in scope is given below.
* Changed the crowdsale fallback function to call `investInternal(...)` in Crowdsale.sol rather than throwing. This allows participants to send ether directly to the contract and receive tokens, instead of having to call the `invest(...)` function to purchase tokens.
* Added functionality that required `msg.sender` and the token receiver address to be added to a whitelist before being able to contribute to the ICO. Only the crowdsale contract owner could call the whitelist functions.
# Findings
No functional or security flaws were identified during the analysis.