iosiro was commissioned by [Enhanced Society](https://www.enhancedsociety.com/) to analyse a pull request to identify potential functional and security flaws introduced into the codebase. The analysis was conducted between 24 May 2018 and 25 May 2018.
The pull request was performed on a fork of the popular TokenMarket [ICO Smart Contract Package](https://github.com/TokenMarketNet/ico). The codebase provides a boilerplate of smart contracts for projects wanting to launch an ICO.
The scope of the analysis was limited to changes made in PR [#1](https://github.com/enhancedsociety/ico/pull/1). The specific commits are listed below.
* [Documentation & Whitelist Crowdsale Updates](https://github.com/enhancedsociety/ico/pull/1/commits/9a466224019399661ce432916375ca51184001ab)
* [Whitelist Crowdsale yml](https://github.com/enhancedsociety/ico/pull/1/commits/a0979b620b6f2932b9fdf6d683eb6c2e42490a27)
* [More Updates to Doc](https://github.com/enhancedsociety/ico/pull/1/commits/9ab9e795572fef1de768aec935c40b587f6d3d80)
* [More Updates to Doc](https://github.com/enhancedsociety/ico/pull/1/commits/8bb267274c17e81d86dc6481e9181753c9362081)
* [Updates to populus.json for ropsten network](https://github.com/enhancedsociety/ico/pull/1/commits/002b7b640c63d2cc9226f5f4be840d8ab7f1af72)
* [More Doc Updates](https://github.com/enhancedsociety/ico/pull/1/commits/e3d3b8cf616003dde39d0935301b03dc193135eb)
* [More Doc Updates](https://github.com/enhancedsociety/ico/pull/1/commits/8e896d2be6cc4e37e3441693152b17a3ffc33a42)
*Note: Only the code changes made by Enhanced Society detailed in the links provided above were analysed. The rest of the forked codebase was not assessed.*
A comprehensive list of changes to the smart contracts in scope is given below.
* Changed the crowdsale fallback function to call `investInternal(...)` in Crowdsale.sol rather than throwing. This allows participants to send ether directly to the contract and receive tokens, instead of having to call the `invest(...)` function to purchase tokens.
* Added functionality that required `msg.sender` and the token receiver address to be added to a whitelist before being able to contribute to the ICO. Only the crowdsale contract owner could call the whitelist functions.
No functional or security flaws were identified during the analysis.