Ownable is not implemented in Wizard. TL;DR the core features like "transfer" require access control by default. about contracts-wizard HOT 5 CLOSED

Hi @frangio
You are 100% correct. A thousand apologies.

I'll tell you exactly what happened. When I refreshed my remix session, in my browser, the environment defaulted to "JavaScript VM (London)", with out me noticing. I intended to have the environment connected to Ropsten via MetaMask at all times.

I seemed to be able to transfer ERC20 tokens on the contract I deployed; even when changing between external accounts in MetaMask. This seemed very odd to me and I was concerned that there was some underlying issue. Now I understand that remix was not even acknowledging MetaMask and I was transacting as the same single account in the JavaScript VM (London) environment. Again, a thousand apologies and sorry for taking up your valuable time.

As you say the transfer function is fundamentally only able to transfer tokens if the msg.sender actually has tokens to transfer.

I have to own, both, my correctness and my blunders, right? :)
Thanks again for your time.
Kind regards
Tim

from contracts-wizard.

Thanks for bringing this up! I've noticed it as well.

The issue is that toggling "Ownable" doesn't really mean "add Ownable" but "add Ownable if any of the above selected features require access control".

The design definitely doesn't convey that.

I'm thinking the access control section should be more like the upgradeability section where there is a toggle at the top and if enabled then there are the two choices.

from contracts-wizard.

Hi @frangio

Ah, I see. So for example when I click "mintable" it automatically adds "ownable" because the "ownable" radio button is selected.

Yes I completely agree, there could be a toggle beside the heading "access control".

If a user switches the toggle on then the user has the choice of either "ownable" or "roles" (the default being "ownable").

As the Wizard currently sits, a project and/or user may deploy their ERC20 contract with the following settings (minting a million tokens in the constructor and thinking that "ownable" is implemented somewhere in the inheritance).

The project will then be surprised to find out that any external account address can instantiate their contract and then easily transfer all of the project's tokens out of the project's ERC20 contract.

from contracts-wizard.

But I don't really understand why you mention transfer. Ownable is not meant to affect the transfer function. Transfer is native to ERC20 and anyone with balance can transfer their own tokens.

What is exactly the thing a project would be surprised with?

from contracts-wizard.

I don't think there are any more actionables in this issue.

from contracts-wizard.