MrCrambo
commented
5 years ago Auditing time 3 days
Closed yuriy77k closed 5 years ago
MrCrambo
commented
5 years ago Auditing time 3 days
yuriy77k
commented
5 years ago @MrCrambo assigned
RideSolo
commented
5 years ago Estimated auditing time: 3 days.
yuriy77k
commented
5 years ago @RideSolo assigned
mobilipia
commented
5 years ago Estimated auditing time 3 days
yuriy77k
commented
5 years ago @mobilipia assigned
mobilipia
commented
5 years ago Cant find the audit manager's email address
yuriy77k
commented
5 years ago @mobilipia please, send your report to yuri@callisto.network
yuriy77k
commented
5 years ago WeiDex v2 smart contract security audit report performed by Callisto Security Audit Department
In total, 7 issues were reported including:
4 low severity issues.
2 notes.
1 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).
No critical security issues were found.
Referrals addresses are set in deposit function member of ExchangeMovements contract, if the users do not input a referral address and leave it empty, the referral reward will be assigned to address(0) in executeTrade function member of Exchange contract.
The impact will be locking an amount of different tokens to address 0x0 without possibility of withdrawal, the amount can vary following the traded volume and the number of users without referral addresses.
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/Exchange.sol#L242
Check referrer address in executeTrade where referrer should be different than address(0) and allocate the referral reward following the result.
importEthers/importTokens function member of ExchangeUpgradability do not set the referral address for a user when importing the user fund from an old exchange address. this issue will cause the same problem described in " Referral Reward" issue.
In transfer function member of ExchangeMovements contract some requirement should be set to avoid sending balances to wrong addresses.
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/ExchangeMovements.sol#L119
Add the following lines to the function:
require(to!=address(0));
require(to!=address(this));migrateFunds function member of ExchangeUpgradability does not check if the new exchange address is set to non null address.
The following issues are part of mock files that are probably used for test only:
transfer/transferFrom do not require the destination address to avoid zero address transfer or any other erroneous address .https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/mocks/OldERC20.sol
As raised by the compiler "Experimental features are turned on. Do not use experimental features on live deployments" the audited code uses ABIEncoderV2 that is in experimental phase and should not be deployed in a live network.
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/Exchange.sol#L2
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/ExchangeBatchTrade.sol#L2
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/ExchangeOffering.sol#L2
Owner can migrate exchange to new contract address. It may has issues if was not audited.
The audited smart contract can be deployed. Only low severity issues were found during the audit.
https://gist.github.com/yuriy77k/95510c49110e25766c1d75bd99e8d307
https://gist.github.com/yuriy77k/0523a14212bf02bdd9a6c7a047eaa002
https://gist.github.com/yuriy77k/e29ec5b85f2dd1380c39bbdcec1cee9f
MillianoConti
commented
5 years ago
Audit request
Decentralized exchange for crypto assets. Improved version of the protocol + built-in incentive for the makers.
Source code
https://github.com/weichain/weidex-eth-v2
Disclosure policy
support@weidex.market
Platform
ETH
Number of lines:
904 * 0.5 = 452 (reaudit https://github.com/EthereumCommonwealth/Auditing/issues/84 )