search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

Nexo #285

Closed MillianoConti closed 5 years ago

MillianoConti commented 5 years ago

Audit request

Nexo is the most advanced and trusted instant crypto lending provider on a global scale, servicing 40+ currencies across more than 200 jurisdictions. https://nexo.io/

Source code

https://github.com/nexofinance/NEXO-Token/blob/master/contracts/NexoToken.sol

Disclosure policy

info@nexo.io

Platform

Eth

Number of lines:

164

MrCrambo commented 5 years ago

Auditing time 1 day

yuriy77k commented 5 years ago

@MrCrambo assigned

RideSolo commented 5 years ago

Auditing time: 1 day

yuriy77k commented 5 years ago

@RideSolo assigned

danbogd commented 5 years ago

Auditing time: 1 day.

yuriy77k commented 5 years ago

@danbogd assigned

danbogd commented 5 years ago

Audit paused.

danbogd commented 5 years ago

My report is finished.

MrCrambo commented 5 years ago

My report is finished

yuriy77k commented 5 years ago

Nexo Security Audit Report

1. Summary

Nexo smart contract security audit report performed by Callisto Security Audit Department

2. In scope

Сommit hash 3571169b3365adfc92c5bd743cc75b5184a2172a.

3. Findings

In total, 3 issues were reported including:

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

It is possible to double withdrawal attack. More details here.

3.2. Owner Privileges

Severity: owner previliges

Description

Owner allows himself to call transferFrom function from investors, community and advisers address, so there is risk to investors, that owner will transfer this tokens to another address.

Code snippet

https://github.com/nexofinance/NEXO-Token/blob/master/contracts/NexoToken.sol#L103

3.3. Address is not correct.

Severity: note

Description

Don't forget to change addresses before deploy contract.

Code snippet

https://github.com/nexofinance/NEXO-Token/blob/3571169b3365adfc92c5bd743cc75b5184a2172a/contracts/NexoToken.sol#L31

https://github.com/nexofinance/NEXO-Token/blob/3571169b3365adfc92c5bd743cc75b5184a2172a/contracts/NexoToken.sol#L42

https://github.com/nexofinance/NEXO-Token/blob/3571169b3365adfc92c5bd743cc75b5184a2172a/contracts/NexoToken.sol#L57

https://github.com/nexofinance/NEXO-Token/blob/3571169b3365adfc92c5bd743cc75b5184a2172a/contracts/NexoToken.sol#L75

https://github.com/nexofinance/NEXO-Token/blob/3571169b3365adfc92c5bd743cc75b5184a2172a/contracts/NexoToken.sol#L92

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/2bf5ef25e14b3c8fe974092f082e73ef

https://gist.github.com/yuriy77k/35cb280c011e56ae697b72d5dd0c379e

https://gist.github.com/yuriy77k/c8775b71c10309e21c343bd1400f965c

MillianoConti commented 5 years ago

Announced:https://www.reddit.com/r/Nexo/comments/c3naxw/audit_of_nexo_token_performed_by_callisto_network/