MrCrambo
commented
5 years ago Auditing time 1 day
Closed yuriy77k closed 5 years ago
MrCrambo
commented
5 years ago Auditing time 1 day
yuriy77k
commented
5 years ago @MrCrambo assigned
danbogd
commented
5 years ago Auditing time: 2 day.
gorbunovperm
commented
5 years ago Estimated auditing time is 1 day.
yuriy77k
commented
5 years ago @danbogd @gorbunovperm assigned
danbogd
commented
5 years ago My report is finished.
gorbunovperm
commented
5 years ago My report is finished.
yuriy77k
commented
5 years ago Auditchain Token smart contract security audit report performed by Callisto Security Audit Department
Github commit hash 6ebb925a6f8bf9a744b2c6eedaf71bacf24ddf46
In total, 5 issues were reported including:
No critical security issues were found.
It is possible to double withdrawal attack. More details here.
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add into a function transfer(address _to, ... ) following code:
require( _to != address(this) );
In the constructor is no events on the transfer of funds.
It is about
Issuing yearly 12,500,000 new tokens to governance contract
In this contract, the year is determined by dividing the number of seconds since the beginning of the Unix Epoch by the number of seconds in a leap year. In this case 06.02.2019 11:59pm is 2018 year by returnYear() function. And 07.02.2019 12:00am is 2019 year.
If the contract is deployed on February 6 the owner will receive 12'500'000 tokens. And the next day he can call mint() and get another 12'500'000 tokens because the contract will consider that the next year has come.
Just save the timestamp of first payment and add to it year value in seconds to figure out if next payment date is come. And then update the date of the last payment.
In the process of migration, all funds of the sender are burned, but only those that he specified as an argument are sent to new contract. The user may not have actual information of the his balance and accidentally burn part of his funds.
Do not use value from argument of migrate but set _value = balanceOf(msg.sender);.
The owners privileges:
Ability to be migrated to new contract in the future (new contract may be not audited)
Ability to lock and unlock ERC20 functions of Token based on user address
The review of Auditchain Token smart contract did not show any critical issues, but some low severity issues were found.
https://gist.github.com/yuriy77k/3148010d397a86f57800b9d98ef83cee
https://gist.github.com/yuriy77k/5a8b0bf7838635ccb090d664fd283eb9
https://gist.github.com/yuriy77k/c60dc5f1439c1cbebb20793db52339db
Audit request
Burnable Mintable Pausable No Cap Issuing yearly 12,500,000 new tokens to governance contract With ability to be migrated to new contract in the future With ability to lock and unlock ERC20 functions of Token based on user address With ability to refuse to accept tokens sent to this contract by mistake
Token Name
"Auditchain"
Token Ticker
"AUDT"
Number of decimals
18
Initial Supply
250,000,000 + 12,500,000 Example of verified contract can be seen on ropsten testnet
Source code
https://github.com/Vestcomp/TGE
Disclosure policy
jm@auditchain.com
bogdanfiedur@gmail.com
Platform
ETH
Complexity
Low