yuriy77k
commented
5 years ago @MillianoConti I have no response from support@amo.foundation Please, check email.
Closed MillianoConti closed 5 years ago
yuriy77k
commented
5 years ago @MillianoConti I have no response from support@amo.foundation Please, check email.
MillianoConti
commented
5 years ago publish the audit results publicly
Пятница, 1 марта 2019, 16:23 +03:00 от Yuriy notifications@github.com:
@MillianoConti I have no response from support@amo.foundation Please, check email. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub , or mute the thread .
yuriy77k
commented
5 years ago Callisto Network provides security audits free of charge for smart-contract developers and development teams. And by our disclosure policy, we need to inform developers about found issues. Therefore we have to contact with them.
As far as we didn't receive confirmation from smart contract developer team, the request should be closed.
MrCrambo
commented
5 years ago Auditing time 2 days
yuriy77k
commented
5 years ago @MrCrambo assigned
danbogd
commented
5 years ago Auditing time 5 days.
yuriy77k
commented
5 years ago @danbogd assigned
RideSolo
commented
5 years ago Auditing time: 3 days.
yuriy77k
commented
5 years ago @RideSolo assigned
danbogd
commented
5 years ago My report is finished.
yuriy77k
commented
5 years ago AMO Project smart contract security audit report performed by Callisto Security Audit Department
In total, 7 issues were reported including:
1 medium severity issues.
2 low severity issues.
2 notes.
2 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).
No critical security issues were found.
When allocateTokens is called the tokenAmount to be transferred to to address is not subtracted from allocationList[to].allowedAmount, meaning that if the function is called again by the owner a higher amount than allocationList[to].allowedAmount can be transferred to the to.
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoinSale.sol#L463#L476
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoinSale.sol#L400#L407
If Multiple allocations are made to user address using addToAllocationList function member of AMOCoinSale, the amount allocated is not cumulated in allocationList[user].allowedAmount.
Please note that addToAllocationList is meant to be used when EarlyInvestment is set, meaning that real payment are done offchain and this can lead to major errors from the team since this function is only used by the owner.
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoinSale.sol#L400#L407
onlyWhenTransferAllowed,enableTransfer,disableTransfer) (check here).onlyAllowedAmount,lockAccount,unlockAccount) (check here).setUpSale, meaning that the owner can reset the round even to a previous one. owner should not be able to reselect round in setUpSale but round has to be incremented directly inside the function, (check here). addToAllocationList function member of AMOCoinSale add tokens amount to mapping for a dedicated users since it is allowed only when EarlyInvestment round then we can guess that the token sale was done offchain through fiat or any other way. However removeFromAllocationList can also cancel the allowed tokens before that allocateTokens is called and the tokens are transferred to the user address. The main issue here is when is the fiat or crypto payment is done and why an address can be removed knowing that a user has maybe didn't get his payment back.There is possibility of setting zero address as admin in function AMOCoin and as contract address in function setTokenSaleAmount.
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoin.sol#L85
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoin.sol#L101
The modifier onlyValidDestination from AMOCoin contract will fail the function in case of transferring funds to sale address. For example in function setTokenSaleAmount there are approving funds for tokenSaleAddr. And after it should be transferred from to this address, but transferFrom function checks with using onlyValidDestination(to) modifier.
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoin.sol#L67
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoin.sol#L101
It is possible to double withdrawal attack. More details here.
The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.
https://gist.github.com/yuriy77k/2fc552fd10cb2f77139068f29cfdedb5
https://gist.github.com/yuriy77k/618cb51beedeebb119dd37991a77238f
https://gist.github.com/yuriy77k/23b820cc0dbcced4d173dcbd105b9464
Audit request
AMO a security solution for connected cars, autonomous vehicles, and smart cars.
Source code
https://github.com/AMO-Project/AMO-Contracts/tree/master/contracts
Disclosure policy
support@amo.foundation
Platform
ETH
Number of lines:
399