search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
132 stars 34 forks source link

XCOYNZ Token. #140

Closed yuriy77k closed 5 years ago

yuriy77k commented 5 years ago

Audit request

Smart Contract to support XCOYNZ token and project fundamentals with 1.25B total supply and a token ticker of XCZ. The Smart Contract encompasses all basic token attributes and periodic releases of tokens, adhering to vesting periods as dictated by the project's long term vision which is made publicly available in the Whitepaper and all project documentation. https://xcoynz.com/ XCOYNZ offers the ability for non-crypto-participants to quickly and easily enter the Cryptocurrency world, familiarise themselves with the regular movements between Crypto assets and connect their personal Crypto wealth to a world where payments and transfer executions are no longer difficult or long-winded processes. In essence, making the handling of Crypto wealth just as seamless as everyday banking has now become. XCOYNZ will offer training videos and a support infrastructure for those non-crypto-savvy people who are waiting to enter this new world of crypto-currency. XCOYNZ is a platform of many components, and as its flagship feature, the XCOYNZ Exchange enables the facility for the Individual to set their own fee and exchange Crypto back to fiat directly into their bank accounts in a much quicker way. At XCOYNZ we believe in empowering the Individual and consequently we have decided that the transfer fee of every transaction on our exchange can be chosen by the Individual. A further exciting innovation is the concept of a “Smart Algorithm Wallet (SAW)”. Most people have multiple Cryptocurrencies in various wallets, and based on your wallet holdings, XCOYNZ will incorporate machine learning algorithms, such as suggesting the best possible combination of Cryptocurrency for the transaction (i.e. to pay retailers) to ensure that the lowest network and exchange fees are applied. Various predictive and prescriptive tools will be used to ensure accurate decisions are provided – and of course an override facility will also be available. Together with a Payment Gateway for retailer subscriptions that allows payments using the currency of choice for the consumer, the XCOYNZ platform spearheads the incorporation of these unique elements to facilitate the mass market shift that is in the making and is so inevitable.

Source code

https://github.com/xcoynz/XCZ-Token-Smart_Contract

Disclosure policy

azeem@xcoynz.com

Platform

ETH

Complexity

Low

yuriy77k commented 5 years ago

1. Summary

XCOYNZ token smart contract security audit report performed by Callisto Security Audit Department

2. In scope

3. Findings

In total, 3 issues were reported including:

No critical security issues were found.

3.1. Underflow in Transfer function

Severity: low

Description

Code snippet

https://github.com/xcoynz/XCZ-Token-Smart_Contract/blob/e4535fb03b4621919fba7798a0721111f35f634b/XCOYNZ%20Test%20SC.sol#L366-L380

3.2. Owner Privileges

Severity: low

Description

  1. The contact code is not guaranteed that the owner will burn tokens after crowdsale, which is not good for investors.

  2. The tokenOwner can bypass the restrictions in transfer function using functions approve and transferFrom instead.

Code snippet

https://github.com/xcoynz/XCZ-Token-Smart_Contract/blob/e4535fb03b4621919fba7798a0721111f35f634b/XCOYNZ%20Test%20SC.sol#L386-L389

https://github.com/xcoynz/XCZ-Token-Smart_Contract/blob/e4535fb03b4621919fba7798a0721111f35f634b/XCOYNZ%20Test%20SC.sol#L367-L375

https://github.com/xcoynz/XCZ-Token-Smart_Contract/blob/e4535fb03b4621919fba7798a0721111f35f634b/XCOYNZ%20Test%20SC.sol#L161

https://github.com/xcoynz/XCZ-Token-Smart_Contract/blob/e4535fb03b4621919fba7798a0721111f35f634b/XCOYNZ%20Test%20SC.sol#L177

3.3. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

4. Conclusion

No critical security issues were found in the audited smart contract. But investors have to pay attention to high privileges of token Owner whose could manipulate ICO process.

5. Revealing audit reports

https://gist.github.com/yuriy77k/e01d4429a4a4e62f37b9cc0990eabd2e

https://gist.github.com/yuriy77k/9f2f707f0ba330597ae3ac8e674568be

https://gist.github.com/yuriy77k/df49590bde2835e5f25a327f9f492f6b