search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

IoTeX #296

Closed MillianoConti closed 5 years ago

MillianoConti commented 5 years ago

Audit request

IoTeX uses Roll-DPoS, where Delegates “prove their stake” by committing time, hardware, and tokens to the network. https://member.iotex.io/

Source code

https://github.com/iotexproject/IOTX-token-contracts/tree/master/contracts

Exclude Migration.sol

Disclosure policy

https://t.me/IoTeXGroup

Platform

Eth

Number of lines:

183

yuriy77k commented 5 years ago

@MillianoConti when you add audit requests, please, use only form on our website. The request will be added automatically to github. In request description you can indicate that it from you.

danbogd commented 5 years ago

Auditing time: 1 day.

danbogd commented 5 years ago

My report is finished.

MrCrambo commented 5 years ago

Auditing time 1 day

yuriy77k commented 5 years ago

@MrCrambo @danbogd assigned

MrCrambo commented 5 years ago

My report is finished

gorbunovperm commented 5 years ago

Estimated auditing time is 1 day.

yuriy77k commented 5 years ago

@gorbunovperm assigned

gorbunovperm commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

IoTeX Security Audit Report

1. Summary

IoTeX smart contract security audit report performed by Callisto Security Audit Department

2. In scope

Сommit hash 13b1b1053529effce653deabfec427b70800eb42.

3. Findings

In total, 2 issues were reported including:

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Owner Privileges

Severity: owner previliges

Description

Contract owner allow himself to:

to pause functions of contract (transfer, transferFrom, approve, increaseApproval, decreaseApproval) here.

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/45a3751e1d135df8f6db33ee8df7ae9d

https://gist.github.com/yuriy77k/b350f165d69377de14d160988ba78196

https://gist.github.com/yuriy77k/b9d7f27bfc2ff25385c44431a14ea135

MillianoConti commented 5 years ago

Reddit Announced