search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

Curate (CUR8) Token. #366

Closed carlossampol closed 5 years ago

carlossampol commented 5 years ago

Audit request

CURATE is a style discovery decentralized app (DApp) i.e 'blockchain smart contract enabled' platform, which rewards users with digital tokens in the form of BTC, ETH and our own $CUR8 tokens in return for users curating fashion styles.

The audit request is for our own ERC-20 token Curate (CUR8).

GitHub: https://github.com/curate-project Website: https://curate.style/

Source code

https://etherscan.io/address/0x490dbf7884b8e13c2161448b83dd2d8909db48ed#code

Disclosure policy

jmshkm@me.com

Platform

Ethereum

Number of lines:

108

MrCrambo commented 5 years ago

Auditing time is 1 day

yuriy77k commented 5 years ago

@MrCrambo assigned.

MrCrambo commented 5 years ago

My report is finished

danbogd commented 5 years ago

Auditing time is 1 day.

danbogd commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

@danbogd assigned.

RideSolo commented 5 years ago

Auditing time 1 day

yuriy77k commented 5 years ago

@RideSolo assigned

yuriy77k commented 5 years ago

Curate (CUR8) Token Security Audit Report

1. Summary

Curate (CUR8) Token smart contract security audit report performed by Callisto Security Audit Department

Symbol       : CUR8
Name         : Curate
Capped supply: 100,000,000
Decimals     : 8 
Standard     : ERC20

2. In scope

3. Findings

In total, 2 issues were reported including:

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Burn Mechanism

Severity: low

Description

Transfers to address 0 is used as a basic burn mechanism, however transfer to address zero can also be a result of a mistake by a user or a dapp, devs should take this issue into consideration

Code snippet

    function transfer(address to, uint tokens) public returns (bool success) {
        balances[msg.sender] = safeSub(balances[msg.sender], tokens);
        balances[to] = safeAdd(balances[to], tokens);
        Transfer(msg.sender, to, tokens);
        return true;
    }
    function transferFrom(address from, address to, uint tokens) public returns (bool success) {
        balances[from] = safeSub(balances[from], tokens);
        allowed[from][msg.sender] = safeSub(allowed[from][msg.sender], tokens);
        balances[to] = safeAdd(balances[to], tokens);
        Transfer(from, to, tokens);
        return true;
    }
    function totalSupply() public constant returns (uint) {
        return _totalSupply  - balances[address(0)];
    }

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/5ad87c96038fe675464e03df5a2960a1

https://gist.github.com/yuriy77k/515f895dfb06b566c0a99478a333b0fd

https://gist.github.com/yuriy77k/90fd91fcf6b5f81094af0bfc74ba5054