search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

Asure Token #229

Closed yuriy77k closed 5 years ago

yuriy77k commented 5 years ago

Audit request

Asure Token is a utility token built on top of the Ethereum blockchain. Asure provides a scalable blockchain network for decentralized social security built around openness, privacy, and fairness, and brings together individuals, companies and governments in a digital world.

This document contains all the relevant requirements: https://www.asure.network/asure.network.tge.en.pdf

Source code

https://github.com/AsureNetwork/crowdsale/tree/master/packages/crowdsale/contracts

Disclosure policy

info@asure.io

Platform

ETH

Number of lines:

258

MrCrambo commented 5 years ago

Auditing time 2 days

danbogd commented 5 years ago

Auditing time: 3 days.

yuriy77k commented 5 years ago

@MrCrambo @danbogd assigned

RideSolo commented 5 years ago

Auditing time: 2 days

yuriy77k commented 5 years ago

@RideSolo assigned

danbogd commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

Asure Token Security Audit Report

1. Summary

Asure Token smart contract security audit report performed by Callisto Security Audit Department

2. In scope

Сommit hash 50cfbe81c88ba9be85419cc191298872435c4615.

3. Findings

In total, 7 issues were reported including:

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Array Size

Severity: low

Description

In drop function member of AsureBounty contract, recipients and values arrays length should be checked if they are the same length.

Code snippet

https://github.com/AsureNetwork/crowdsale/blob/50cfbe81c88ba9be85419cc191298872435c4615/packages/crowdsale/contracts/AsureBounty.sol#L16

3.3. Inconsistencies with Asure Token Generation Event.

Severity: owner privileges

Description

  1. According to the whitepaper, specified parameters of soft cup and hard cap, but in code we can't see these functions.

  2. According to the [whitepaper] the Asure Team and Advisors will receive their tokens over two years after the start of the second phase, but in constructor of AsureCrowdsaleDeployer contract we can't see the Teams and Advisor vesting parameters.

  3. According to the [whitepaper] the minimum Contribution is $ 100 (ETH equivalent), but we can't see this parameter in code.

The contract is managed manually by the owner which is not good for investors.

3.4. Owner Privileges

Severity: owner privileges

Description

The contract owner allow himself to:

  1. update bonus rate, bonus time, crowdsale time and default rate before crowdsale opened.

  2. withdraw ETH and tokens funds before the end of sales.

The contract is managed manually by the owner which is not good for investors.

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/451e55756c987ff65ec9c365d60f03b5

https://gist.github.com/yuriy77k/5680e6009da2c5485b39e7135561088b

https://gist.github.com/yuriy77k/0102e9e8cc41043bf2e1a56e92ee1531

MillianoConti commented 5 years ago

Reddit announcement