MrCrambo
commented
5 years ago Auditing time 1 day
Closed yuriy77k closed 5 years ago
MrCrambo
commented
5 years ago Auditing time 1 day
yuriy77k
commented
5 years ago @MrCrambo assigned
danbogd
commented
5 years ago Auditing time: 2 days.
yuriy77k
commented
5 years ago @danbogd assigned
RideSolo
commented
5 years ago Estimated audit time: 1 day.
danbogd
commented
5 years ago My report is finished.
RideSolo
commented
5 years ago @yuriy77k I have commented this issue for audit.
yuriy77k
commented
5 years ago @RideSolo assigned
yuriy77k
commented
5 years ago aXpire Token smart contract security audit report performed by Callisto Security Audit Department
Symbol : AXPR
Name : aXpire
Total supply: 350,000,000
Decimals : 18
Standard : ERC20In total, 10 issues were reported including:
1 medium severity issues.
4 low severity issues.
5 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).
Following EIP-20 specifications:
transfer and transferFrom since if value is equal to 0 the functions do not fire a Transfer event and return false.transfer "SHOULD" throw when the msg.sender doesn't have enough fund. transferFrom should throw and not return false if the _from address doesn't have enough of fund or if the allowed value isn't enough to cover the transaction _value.https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L155
https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L166
Contract owner allow himself to:
approval/transfer/transferFrom, check here.Following ERC20 standard, approve function "Allows _spender to withdraw from your account multiple times, up to the _value amount. If this function is called again it overwrites the current allowance with _value.", However the implemented function throw in case if allowed[msg.sender][_spender] is different than zero and _value different than zero. this partially solve double withdrawal attack but create incompatibility for some Dapps, and do not allow the user to directly reduce the allowance creating a race between user and spender.
https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L183
Following EIP-20 when "A token contract which creates new tokens SHOULD trigger a Transfer event with the _from address set to 0x0 when tokens are created".
This issue issue is related with both constructor and createTokens function since tokens are created and transfer event is not triggered.
https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L277
https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L317
In both transfer and transferFrom transfers to address(0) are allowed.
https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L155
https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L166
It is possible to double withdrawal attack. More details here.
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add the following code to the transfer(_to address, ...) function:
require( _to != address(this) );
The audited smart contract has issues with ERC20 Compliance and cannot be used as ERC20 token. Reported issues must be fixed prior to the usage of this contract.
https://gist.github.com/yuriy77k/d19fc5b0b1b91bd75b4a0d725ecf7c48
https://gist.github.com/yuriy77k/7fd07d4f6f1972916a6734f2c37b200c
https://gist.github.com/yuriy77k/d16d404a58342856e22fdd5e5976f776
Audit request
aXpire's smart contract was created to launch the token, and have some basic functions related to burning tokens.
Source code
https://etherscan.io/address/0xC39E626A04C5971D770e319760D7926502975e47#code
Disclosure policy
mm@axpire.com
Platform
ETH
Number of lines:
240