danbogd
commented
5 years ago Auditing time: 3 days.
Closed MillianoConti closed 4 years ago
danbogd
commented
5 years ago Auditing time: 3 days.
danbogd
commented
5 years ago My report is finished.
yuriy77k
commented
5 years ago @danbogd assigned
MrCrambo
commented
5 years ago Auditing time is 2 days
yuriy77k
commented
5 years ago @MrCrambo assigned
MrCrambo
commented
5 years ago My report is finished
RideSolo
commented
5 years ago Auditing time: 2 days
yuriy77k
commented
5 years ago @RideSolo assigned
yuriy77k
commented
5 years ago The contract contains a critical severity security issue. The developer is informed about it.
yuriy77k
commented
4 years ago FriendsFingers smart contract security audit report performed by Callisto Security Audit Department
In total, 6 issues were reported including:
1 critical severity issues.
1 low severity issues.
4 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).
closeCrowdsale function member of FriendsFingersBuilder designed to finalize the crowdsale is only accessible by owner or the crowdsale creator, however finalize function member of FriendsFingersCrowdsale is public.
If any attacker calls finalize directly and all the condition to finalize the crowdsale are met, FriendsFingersBuilder's function closeCrowdsale won't execute since it calls finalize function that will throw since it was previously called. This will leave the token contract in a minting state since finishMinting can't be called anymore.
The Token contract is designed to block all transfers until mintingFinished is set to true, meaning that an attacker can block the newly deployed token transfers for all users and makes the ICO fail.
FriendsFingers dapp is a tool for entrepreneur to deploy ICO without the need to deploy a dapp or develope it by themselves, however people using FriendsFingers should be aware that they have no control over the ICO, everything has to handled through FriendsFingers owner.
claimRefund, buyTokens and finalize without any restriction using pauseCrowdsale/unpauseCrowdsale(please not that for example pausing finalize will allow FriendsFingers owner to possibly withdraw the fund collected by the ICO that does not belongs to them in anyway using safeWithdrawal or setExpiredAndWithdraw after a year from the end of the ICO) .blockCrowdsale and allow the users to withdraw their ether supposing that no action were taken by FriendsFingers to withdraw the investors fund.setFriendsFingersRateForCrowdsale or setDefaultFriendsFingersRate.During crowdsale creation, the owner may set the wrong endTime and withdraw Ethereum before investors get a refund.
claimRefunds function could be failed, if owner will set end time as one year ago date and send himself ethers using function safeWithdrawal.
Add code below:
require(_endTime > _startTime);The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.
https://gist.github.com/RideSolo/dee4dd5975dad8c0ca82deddfd5c5567
https://gist.github.com/MrCrambo/516f38cdbc71b70c4e8dcfdf33505b3b
https://gist.github.com/yuriy77k/d149fca062b286f839a4d39f6ca693d8
Audit request
FriendsFingers is an open-source Decentralized Application (DApp) built on Smart Contracts running on Ethereum Blockchain. FriendsFingers helps startups and small businesses to start a trustworthy Crowdsale and issue an ERC20 Token with no setup costs and zero lines of code required. https://www.friendsfingers.com/
Source code
https://github.com/FriendsFingers/friendsfingers-smartcontracts/tree/master/contracts
Disclosure policy
https://t.me/friendsfingers
Contact information (optional)
https://twitter.com/friendsfingers https://www.facebook.com/friendsfingers hello@friendsfingers.com
Platform
Eth
Number of lines:
408