[WIP] Audit of Partial Restricted Transfer Manager Module

[pabloruiz55]

THIS IS A DRAFT

Purpose of the module is to control the number of Investors (critical for non-reporting entities who may be limited to 50 Investors in some jurisdictions). An Investor looking to sell their Security Tokens may be forced to sell ALL their security tokens in one singular operation so that the total number of Investors does not increase (and may decrease).

When enabled, this module will prevent a token holder from transferring just part of their token balance, only being able to transfer 100% of it.

Code can be found here: https://github.com/PolymathNetwork/polymath-core/tree/master/contracts/modules/TransferManager/PTM

Detailed requirements / flowchart: [ADD LINK TO LUCIDCHART]

Expected Behavior to review: [MAWADDA TO REFINE]

• When attached to a security token, any transfer made by a token holder should account for 100% of their balance.
• If the module is paused, the above behavior should be ignored.
• Owner should be able to add/remove addresses (one at a time and multiple in a single tx) to a whitelist within the module
• Addresses in this whitelist should be exempted from this restriction

How to review/test this module: [VICTOR TO REFINE]

• Use Polymath's CLI (local is fine) to create a new 3.0 security token
• Add a few addresses to the token's General Transfer Manager (so transfers between them are allowed)
• Mint some tokens to some of these whitelisted accounts, and attempt some transfers to check restrictions are properly setup
• Attach the Partial Restricted Transfer Manager Module to the security token
• Attempt a transfer from an address that doesn't account for 100% of it's token balance, it should fail.

Bug Bounty Terms: [CHRIS TO REVIEW]

• We will select up to 5 independent auditors to review the module. They will all be awarded the specified amount, regardless of the amount of bugs found. Polymath may consider to award a bonus to auditors that find bugs no-one had found and/or of a critical nature.
• Selected auditors are required to attend a short session (30-60 minutes) where we will walk them through the module details and live demo how to use the CLI to test/setup the module in scope.
• Only the smart contract(s) specified here are under the scope of the bounty, unless otherwise specified.
• Auditors will be required to provide a full report on the steps they took to review the code, their findings and detailed steps on how to fix any bugs/issues found.
• Auditors should be available for at least 2 rounds of review (Bounty will only be paid once found bugs have been fixed and the auditor that found them has accepted the fix proposed by our team)
• Selected auditors can and are encouraged to share their findings and collaborate/discuss their approach between them as it's not a competition and all selected auditors will be rewarded for their time spent reviewing the code.
• Polymath reserves the right to withhold payment if we consider the auditor has not done enough to properly review/audit the code. This includes, but is not limited to: Not attending the short introductory session, not providing a report with their findings, not finding obvious bugs that everyone else has, not providing detailed steps on how to fix a bug, not reviewing our team's proposed fixes in a timely fashion.