search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

dClinic #195

Closed yuriy77k closed 5 years ago

yuriy77k commented 5 years ago

Audit request

This smart contract is for dClinic organization. dClinic enables EHR and EMR records to be blockchain enabled. VIC tokens will be distributed as a loyalty tokens to all the patients that complete their tasks for shared health care summary. More information is available in www.dclinic.io

Source code

https://github.com/dclinicpteltd/smartContract/blob/master/VIC%20-%20dClinic

Disclosure policy

Ashwani.modi@dclinic.io

Platform

ETH

Number of lines

149

MrCrambo commented 5 years ago

Auditing time 1 day

RideSolo commented 5 years ago

Auditing time: 1 day

yuriy77k commented 5 years ago

@MrCrambo @RideSolo assigned

gorbunovperm commented 5 years ago

Estimated auditing time is 2 days.

yuriy77k commented 5 years ago

@gorbunovperm assigned

gorbunovperm commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

Security Audit Report

1. Summary

dClinic Token smart contract security audit report performed by Callisto Security Audit Department

2. In scope

3. Findings

In total, 2 issues were reported including:

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Decrease Allowance

Severity: low

Description

decreaseAllowance throw in case if the value to be subtracted is higher than the amount that is allowed, if the address owner wants to change the value allowed by reducing it and the spender withdraw a part of it, the function might throw and give more chances for the spender to take the rest of the allowed value.

Code snippet

https://github.com/dclinicpteltd/smartContract/blob/master/VIC%20-%20dClinic#L256

Recommendation

Check if the value allowed is higher or equal to the value to be subtracted if not then set the allowed value to zero.

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/e9e41e54670b8b781ce77a6011926092

https://gist.github.com/yuriy77k/08a9b09bfe034bffd493bb571800a69d

https://gist.github.com/yuriy77k/cdc5d5164141247d22bba84fef0c3233

MillianoConti commented 5 years ago

Reddit announcement