search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

LUTOKEN #248

Closed yuriy77k closed 5 years ago

yuriy77k commented 5 years ago

Audit request

Smart contract Token ERC20

Source code

https://github.com/CINEMADROM/SMART-CONTRACT/blob/master/LUTOKEN.sol

Disclosure policy

ico@cinemadrom.com

Platform

ETH

Number of lines:

309

danbogd commented 5 years ago

Auditing time: 2 days.

yuriy77k commented 5 years ago

@danbogd assigned

gorbunovperm commented 5 years ago

Estimated auditing time is 2 days.

gorbunovperm commented 5 years ago

My report is finished.

MrCrambo commented 5 years ago

Auditing time 2 days

yuriy77k commented 5 years ago

@gorbunovperm @MrCrambo assigned

danbogd commented 5 years ago

My report is finished.

mobilipia commented 5 years ago

Auditing time 2days

yuriy77k commented 5 years ago

LUTOKEN Security Audit Report

1. Summary

LUTOKEN smart contract security audit report performed by Callisto Security Audit Department

Smart contract Token ERC20

https://cinemadrom.com/

2. In scope

Commit hash: efdf556013c20b225ae31261ef95d8911e0b37fe

  1. LUTOKEN.sol

Notice: UpgradeAgent.upgradeFrom() method is not audited because the lack of method code here.

3. Findings

In total, 6 issues were reported including:

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. ERC20 Compliance: event missing

Severity: low

Description

According to ERC20 standard, when initializing a token contract if any token value is set to any given address a Transfer event should be emitted. An event isn't emitted when assigning the initial supply to the msg.sender.

Code snippet

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L585

3.3. Owner privileges

Severity: owner privileges

Description

  1. Owner can pause transfers any time he wants.
  2. Owner can freeze at any time he wants.
  3. Owner can upgrade contract and implement any logic in the new contract. And even if the new contract will be audited, at any time possible to change the address of the new contract again to not audited and insecure.

Code snippet

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L100

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L622

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L503

3.4. Required check for an 0x0 address

Severity: low

Description

Code snippet

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L477

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L617

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/0c0b5327bfb28a5f061e3773af2b44d0

https://gist.github.com/yuriy77k/b80c07a36e5c276351c89c3bb535aab7

https://gist.github.com/yuriy77k/c34b18d43ab2d60a02f195061ae1a4d5

yuriy77k commented 5 years ago

@mobilipia Not assigned. Audit completed.