Closed carlossampol closed 5 years ago
Auditing time 1 day
@MrCrambo assigned
Auditing time 2 days.
Estimated time 2 days
@danbogd @codeblcks assigned
My report is finished.
@codeblcks did you finish audit?
@codeblcks removed from this audit. Another auditor can take this contract for audit.
Estimated auditing time is 1 day.
My report is finished.
@gorbunovperm assigned
KINGS GLOBAL smart contract security audit report performed by Callisto Security Audit Department
KINGS GLOBAL is an Erc20 token use for Charity, Welfare, Shopping, Social, Media gallery for payment and royalty reward within the community and entire crypto space.
https://etherscan.io/address/0xfda1f5278b9aa923b5e581565d599810c78c71f5#contracts
In total, 5 issues were reported including:
1 medium severity issues.
4 low severity issues.
No critical security issues were found.
From ERC-20 specification:
The function SHOULD throw if the _from account balance does not have enough tokens to spend.
But in this implementation it just returns false. This can lead to serious consequences. Because checking the return value of this function is rare.
function transfer(address _to, uint256 _value) returns (bool success) {
if (balances[msg.sender] >= _value && _value > 0) {
balances[msg.sender] -= _value;
balances[_to] += _value;
Transfer(msg.sender, _to, _value);
return true;
} else { return false; }
}
function transferFrom(address _from, address _to, uint256 _value) returns (bool success) {
if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) {
balances[_to] += _value;
balances[_from] -= _value;
allowed[_from][msg.sender] -= _value;
Transfer(_from, _to, _value);
return true;
} else { return false; }
}
EIP20 says that: Transfers of 0 values MUST be treated as normal transfers and fire the Transfer event.
But in this contract, function transfer has a condition:
_value > 0
function transfer(address _to, uint256 _value) returns (bool success) {
if (balances[msg.sender] >= _value && _value > 0) {
balances[msg.sender] -= _value;
balances[_to] += _value;
Transfer(msg.sender, _to, _value);
return true;
} else { return false; }
}
function transferFrom(address _from, address _to, uint256 _value) returns (bool success) {
if (balances[_from] >= _value && allowed[_from][msg.sender] >= _value && _value > 0) {
balances[_to] += _value;
balances[_from] -= _value;
allowed[_from][msg.sender] -= _value;
Transfer(_from, _to, _value);
return true;
} else { return false; }
}
It is possible to double withdrawal attack. More details here.
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add into a function transfer(address _to, ... )
following code:
require( _to != address(this) );
Incoming addresses should be checked for an empty value(0x0
address) to avoid loss of funds or blocking some functionality.
transfer()
, line 47transferFrom()
, line 57According to ERC20 standard, when initializing a token contract if any token value is set to any given address a Transfer
event should be emitted.
An event isn't emitted when assigning the initial supply to the msg.sender.
KINGSGLOBAL()
, line 107The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.
https://gist.github.com/yuriy77k/8eb8f92679114ba92de78a1af5444de8
https://gist.github.com/yuriy77k/780e1e15da219c1414a72e04ec9d2d82
https://gist.github.com/yuriy77k/2399fc5377d29ab1cd59f1fe531b6c0e
Audit request
KINGS GLOBAL is an Erc20 token use for Charity, Welfare, Shopping, Social, Media gallery for payment and royalty reward within the community and entire crypto space.
Source code
https://etherscan.io/address/0xfda1f5278b9aa923b5e581565d599810c78c71f5#contracts
Disclosure policy
Kingsglobaltoken2019@gmail.com
Platform
Ethereum
Number of lines:
81