search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

Maximine Coin (MXM) #330

Closed carlossampol closed 5 years ago

carlossampol commented 5 years ago

Audit request

Audit Top 200 CoinMarketCap tokens.

Maximine Coin (MXM)

https://maximine.io/

Source code

https://etherscan.io/address/0x8e766f57f7d16ca50b4a0b90b88f6468a09b0439#code

Disclosure policy

public

Platform

Ethereum

Number of lines:

88

MrCrambo commented 5 years ago

Auditing time 1 day

yuriy77k commented 5 years ago

@MrCrambo assigned

gorbunovperm commented 5 years ago

Estimated auditing time is 1 day.

gorbunovperm commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

@gorbunovperm assigned

MrCrambo commented 5 years ago

My report is finished

danbogd commented 5 years ago

Auditing time: 1 day.

danbogd commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

@danbogd assigned

yuriy77k commented 5 years ago

Maximine Coin (MXM) Security Audit Report

1. Summary

Maximine Coin (MXM) smart contract security audit report performed by Callisto Security Audit Department

Audit Top 200 CoinMarketCap tokens.

Maximine Coin (MXM)

2. In scope

  1. MXM.sol

3. Findings

In total, 5 issues were reported including:

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. ERC20 Compliance — event missing

Severity: low

Description

According to ERC20 standard when coins are minted(or burned) a Transfer event should be emitted.

Code snippet

3.3. ERC20 Compliance — transfer returns

Severity: low

Description

According EIP20 Standard the transfer function should returns boolean value function transfer(address _to, uint256 _value) public returns (bool success). But here it is not implemented.

Code snippet

3.4. ERC20 Compliance: zero-value transfers rejecting

Severity: low

Description

EIP20 says that:

Transfers of 0 values MUST be treated as normal transfers and fire the Transfer event. But in this contract, function transfer has a condition:

require(balanceOf[_to] + _value > balanceOf[_to]);

Code snippet

3.5. Owner Privileges

Severity: owner privileges

Description

The contract owner allowed to ban transfer functions for certain user.

Code snippet

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/47daa3e68f380c48e40ff1d101b83d64

https://gist.github.com/yuriy77k/d59b2a1e8b4801fff49b18b6456d7435

https://gist.github.com/yuriy77k/f5baefc0963cc674897d5f81413fa605

MillianoConti commented 5 years ago

Reddit Announced