search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
132 stars 34 forks source link

IOSToken #196

Closed yuriy77k closed 5 years ago

yuriy77k commented 5 years ago

Audit request

Audit Top 200 CoinMarketCap tokens.

IOSToken (IOST)

IOSToken IOST
Circulating Supply 12 013 965 609
Total Supply 21 000 000 000

https://iost.io/

Deployed at https://etherscan.io/address/0xfa1a856cfa3409cfa145fa4e20eb270df3eb21ab#code

Source code

https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756

Disclosure policy

Public

Platform

ETH

Number of lines

78

RideSolo commented 5 years ago

Estimated audit time: 1 day.

yuriy77k commented 5 years ago

@RideSolo assigned

danbogd commented 5 years ago

Auditing time: 1 day.

gorbunovperm commented 5 years ago

Estimated auditing time is 1 day.

gorbunovperm commented 5 years ago

My report is finished.

danbogd commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

@danbogd @gorbunovperm assigned

yuriy77k commented 5 years ago

Security Audit Report

1. Summary

IOSToken smart contract security audit report performed by Callisto Security Audit Department

Token desription:

Symbol      : IOST
Name        : IOSToken
Total supply: 21,000,000,000
Decimals    : 18 
Standard    : ERC20

2. In scope

3. Findings

In total, 4 issues were reported including:

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2 Non-compliance with ERC-20 Token Standard.

Severity: medium

Description

ERC-20 Token Standard specifies for functions transfer and transferFrom:

The function SHOULD throw if the _from account balance does not have enough tokens to spend. But in this implementation it just returns false. This can lead to serious consequences. Because checking the return value of this function is rare.

Code snippet

https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L60

https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L70

https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L108

3.3. Transfer to address(0)

Severity: low

Description

Transfer to address(0) is allowed when using transfer or transferFrom functions.

Code snippet

https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L60

https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L70

Recommendation

Add zero address checking

require( _to != address(0) );

3.4. Unlimited Allowance

Severity: low

Description

Even if the likelihood of such issue to represent a risk for users is very low, the reimplemented transferFrom with unlimited allowance to an address is not complaint with ERC-20 standard. Users should be aware of it.

Code snippet

https://gist.github.com/yuriy77k/164e096306a2b117b68b4cf9cca9f756#file-iostoken-sol-L108

4. Conclusion

The audited smart contract has some issues with ERC20 Compliance that could cause losing the money in a particular situation. We recommend fixing these issues.

5. Revealing audit reports

https://gist.github.com/yuriy77k/ce4b26e2d0076584717ba0d083095d4e

https://gist.github.com/yuriy77k/9ac93e4cb81d884b85edb355ab7948e1

https://gist.github.com/yuriy77k/78729a1cad92e731b3ab77e884e9deee

yuriy77k commented 5 years ago

Answer from IOST team:

we are no longer an ERC20 since our February mainnet launch.