Closed yuriy77k closed 5 years ago
Estimated audit time: 1 day.
@RideSolo assigned
Auditing time: 1 day.
Estimated auditing time is 1 day.
My report is finished.
My report is finished.
@danbogd @gorbunovperm assigned
IOSToken smart contract security audit report performed by Callisto Security Audit Department
Token desription:
Symbol : IOST
Name : IOSToken
Total supply: 21,000,000,000
Decimals : 18
Standard : ERC20
In total, 4 issues were reported including:
1 medium severity issues.
3 low severity issues.
It is possible to double withdrawal attack. More details here.
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add the following code to the transfer(_to address, ...)
function:
require( _to != address(this) );
ERC-20 Token Standard specifies for functions transfer
and transferFrom
:
The function SHOULD throw if the _from
account balance does not have enough tokens to spend.
But in this implementation it just returns false. This can lead to serious consequences. Because checking the return value of this function is rare.
https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L60
https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L70
https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L108
address(0)
Transfer to address(0)
is allowed when using transfer
or transferFrom
functions.
https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L60
https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L70
Add zero address checking
require( _to != address(0) );
Even if the likelihood of such issue to represent a risk for users is very low, the reimplemented transferFrom
with unlimited allowance to an address is not complaint with ERC-20 standard. Users should be aware of it.
https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L108
The audited smart contract has some issues with ERC20 Compliance that could cause losing the money in a particular situation. We recommend fixing these issues.
https://gist.github.com/yuriy77k/ce4b26e2d0076584717ba0d083095d4e
https://gist.github.com/yuriy77k/9ac93e4cb81d884b85edb355ab7948e1
https://gist.github.com/yuriy77k/78729a1cad92e731b3ab77e884e9deee
Answer from IOST team:
we are no longer an ERC20 since our February mainnet launch.
Audit request
Audit Top 200 CoinMarketCap tokens.
IOSToken (IOST)
https://iost.io/
Deployed at https://etherscan.io/address/0xfa1a856cfa3409cfa145fa4e20eb270df3eb21ab#code
Source code
https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756
Disclosure policy
Public
Platform
ETH
Number of lines
78