MrCrambo
commented
5 years ago Auditing time 1 day
Closed carlossampol closed 5 years ago
MrCrambo
commented
5 years ago Auditing time 1 day
MrCrambo
commented
5 years ago My report is finished
yuriy77k
commented
5 years ago @MrCrambo assigned
danbogd
commented
5 years ago Auditing time: 1 day.
danbogd
commented
5 years ago My report is finished.
yuriy77k
commented
5 years ago @danbogd assigned.
gorbunovperm
commented
5 years ago Estimated auditing time is 1 day.
gorbunovperm
commented
5 years ago My report is finished.
yuriy77k
commented
5 years ago @gorbunovperm assigned.
yuriy77k
commented
5 years ago KuCoin Shares smart contract security audit report performed by Callisto Security Audit Department
Audit Top 200 CoinMarketCap tokens.
In total, 5 issues were reported including:
2 medium severity issues.
3 low severity issues.
No critical security issues were found.
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add the following code to the transfer(_to address, ...) function:
require( _to != address(this) );
In the ERC-20 standard here should be approve, transferFrom, allowance, balanceOf functions, but here its are missing.
An event isn't emitted when assigning the initial supply to the msg.sender.
Line 33.
function MyToken(
uint256 initialSupply,
string tokenName,
uint8 decimalUnits,
string tokenSymbol
) {
balanceOf[msg.sender] = initialSupply; // Give the creator all initial tokens
totalSupply = initialSupply; // Update total supply
name = tokenName; // Set the name for display purposes
symbol = tokenSymbol; // Set the symbol for display purposes
decimals = decimalUnits; // Amount of decimals for display purposes
}balances[_to] + value should be able to be equal to balance[to] since value can be zero and the ERC20 standard states that transfers with value zero MUST be allowed. As it stands, this implementation threatens to break ERC20 compliance.
Line 43.
function _transfer(address _from, address _to, uint _value) internal {
require (_to != 0x0); // Prevent transfer to 0x0 address. Use burn() instead
require (balanceOf[_from] > _value); // Check if the sender has enough
require (balanceOf[_to] + _value > balanceOf[_to]); // Check for overflows
balanceOf[_from] -= _value; // Subtract from the sender
balanceOf[_to] += _value; // Add the same to the recipient
Transfer(_from, _to, _value);
}
require (balanceOf[_from] >= _value);
require (balanceOf[_to] + _value >= balanceOf[_to]);transfer not returnsAccording to ERC20 standard the transfer function should return bool value:
function transfer(address _to, uint256 _value) public returns (bool success)
But this contract is not implemented this.
The audited smart contract has many ERC20 noncompliance and can't be used as ERC20 token.
https://gist.github.com/yuriy77k/f26078e655429fe7bf9a121623468c08
https://gist.github.com/yuriy77k/df8339da6c241ab016ef9814efd42476
https://gist.github.com/yuriy77k/8fd11672a300f961f3f0887eaf6da7df
Audit request
Audit Top 200 CoinMarketCap tokens.
KuCoin Shares (KCS)
https://www.kucoin.com/
Source code
https://etherscan.io/address/0x039b5649a59967e3e936d7471f9c3700100ee1ab#code
Disclosure policy
public
Platform
Ethereum
Number of lines:
42