search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

ExploreCoin #236

Closed yuriy77k closed 5 years ago

yuriy77k commented 5 years ago

Audit request

ExploreCoin (EPL) is an ERC 20 token, smart contract recently deployed.

https://www.explorecoin.io/

Source code

https://etherscan.io/address/0x2802faad8a0f9595c1660c436c7e51d9ce97b1e9#code

Disclosure policy

admin@explorecoin.io

Platform

ETH

Number of lines:

128

RideSolo commented 5 years ago

Auditing time: 1 day.

yuriy77k commented 5 years ago

@RideSolo assigned

MrCrambo commented 5 years ago

Auditing time 1 day

gorbunovperm commented 5 years ago

Estimated auditing time is 1 day.

gorbunovperm commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

@MrCrambo @gorbunovperm assigned

yuriy77k commented 5 years ago

ExploreCoin Security Audit Report

1. Summary

ExploreCoin smart contract security audit report performed by Callisto Security Audit Department

2. In scope

3. Findings

In total, 4 issues were reported including:

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Decrease Allowance

Severity: low

Description

decreaseAllowance throw in case if the value to be substracted is higher than the amount that is allowed, if the address owner wants to change the value allowed by reducing it and the spender withdraw a part of it before, the function might throw and give more chances for the spender to take the rest of the allowed value.

The value should be set to zero if the value to be subtracted is higher than the allowance.

Code snippet

line 211

3.3. Zero address checking required

Severity: low

Description

In constructor at line 306 there have to be zero address checking for feeReceiver and tokenOwnerAddress.

Code snippet

line 306

3.4. EPL Token is not Burnable

Severity: note

Description

Functions _burn and _burnFrom are internal and unused.

Code snippet

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/18e58f1d87b9cf05db92b89b7512b87f

https://gist.github.com/yuriy77k/0e650f3827e33abcd9f45a68e71f03e4

https://gist.github.com/yuriy77k/13fb50504be43071bd55615ee38be669

Explorecoin commented 5 years ago

Thanks a lot for the audit.

MillianoConti commented 5 years ago

Announced:https://www.reddit.com/r/ExploreCoin/comments/c4kxd3/audit_of_explorecoin_token_performed_by_callisto/