search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

Dai #340

Closed carlossampol closed 5 years ago

carlossampol commented 5 years ago

Audit request

Audit Top 200 CoinMarketCap tokens.

Dai (DAI) stablecoin

http://www.makerdao.com/

Source code

https://etherscan.io/address/0x89d24a6b4ccb1b6faa2625fe562bdd9a23260359#code

Disclosure policy

public

Platform

Ethereum

Number of lines:

238

MrCrambo commented 5 years ago

Auditing time 2 days

yuriy77k commented 5 years ago

@MrCrambo assigned.

MrCrambo commented 5 years ago

My report is finished

gorbunovperm commented 5 years ago

Estimated auditing time is 2 days.

gorbunovperm commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

@gorbunovperm assigned

danbogd commented 5 years ago

Auditing time 2 days.

yuriy77k commented 5 years ago

@danbogd assigned.

danbogd commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

Dai Security Audit Report

1. Summary

Dai smart contract security audit report performed by Callisto Security Audit Department

Audit Top 200 CoinMarketCap tokens. Dai (DAI) stablecoin.

http://www.makerdao.com/

2. In scope

  1. DaiToken.sol

3. Findings

In total, 4 issues were reported including:

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Blocking transferring

Severity: owner privileges

Description

The contract owner allowed to block transfer functions( transferFrom, approve, mint, burn).

Code snippet

3.3. ERC20 Compliance — event missing

Severity: low

Description

According to ERC20 standard when coins are minted(or burned) a Transfer event should be emitted.

Code snippet

3.4. Checking input addresses

Severity: low

Description

Incoming addresses should be checked for an empty value(0x0 address) to avoid loss of funds or blocking some functionality.

Code snippet

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/bf2ea7c611b07073262d216d05de3b30

https://gist.github.com/yuriy77k/8cc19398ee91c3dd236f30a5b91c2d97

https://gist.github.com/yuriy77k/fbdccd8b26e383f9592153263f1a7c4e

MillianoConti commented 5 years ago

Reddit Announced