search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

UCOIN #371

Closed carlossampol closed 4 years ago

carlossampol commented 5 years ago

Audit request

This smart-contract ti to deploy our UCOIN, a digital currency one-stop ecosystem based on the Ethereum blockchain technology that provides its token holders and crypto/fiat users a diversified digital and global financial service network for their daily life transaction. UCoin financial platform is powered by DOSH and built on decentralized blockchain technology and utilizes microservice architecture to ensure limitless scalability. For more details: https://ucoincurrency.io/

Source code

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol

Disclosure policy

juan.velez@ucoincorp.com

Number of lines:

127

Platform

Ethereum

MrCrambo commented 5 years ago

Auditing time is 1 day

yuriy77k commented 5 years ago

@MrCrambo assigned

MrCrambo commented 5 years ago

My report is finished

danbogd commented 5 years ago

Auditing time is 1 day.

yuriy77k commented 5 years ago

@danbogd assigned

danbogd commented 5 years ago

My report is finished.

RideSolo commented 5 years ago

audit time: 1 day

yuriy77k commented 5 years ago

@RideSolo assigned

yuriy77k commented 5 years ago

The contract contains a high severity security issue. The developer is informed about it.

yuriy77k commented 4 years ago

UCOIN Security Audit Report

1. Summary

UCOIN smart contract security audit report performed by Callisto Security Audit Department

Symbol       : UCOIN
Name         : Universal Coin
Capped supply: 5,000,000,000
Decimals     : 8 
Standard     : ERC20

2. In scope

3. Findings

In total, 9 issues were reported including:

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Buy/Sell

Severity: High

Description

The buy and sell price is set by two variables that do not contain nominator and denominator information, meaning that for example the sell price set to a minimum will be 1 wei making the price of 1 token that is sold to the contract equal to 1 ether since the decimals are equal to 18.

Developers should be aware that this will not give them any flexibility to set the token sell and buy prices, meaning that the buy price for 1 token should be higher than 1 ether (please note that following this logic more than 5 billions ether are needed to buy all the tokens buy the investors).

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/65f85924bbd88e4edca573ca6dcf4688cc1f0394/UCOIN_Smart_Contract.sol#L228-L245

3.3. ERC20 Compliance

Severity: medium

Description

transfer does not return a boolean as described in EIP20 (please note that transferFrom is correctly implemented).

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/65f85924bbd88e4edca573ca6dcf4688cc1f0394/UCOIN_Smart_Contract.sol#L90#L93

3.4. Minting Overflow

Severity: medium

Description

Mint function does not use safeMath library or any other logic to prevent overflow.

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L211#L212

3.5. Transfer Event

Severity: low

Description

The transfer event is not emitted when allocating to total supply inside the constructor.

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L50#L59

3.6. Owner privileges

Severity: owner privileges

Description

  1. Owner can mint unlimited amount of tokens, even if the total supply is already set in the constructor.

  2. Owner can freeze/unfreeze users wallets without restrictions.

  3. Owner can change the token buys/sell price at any moment.

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L210#L215

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L220#L223

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L228#L231

3.7. Zero address checking

Severity: low

Description

There is no zero address checking in function transferOwnership.

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L20

4. Conclusion

The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.

5. Revealing audit reports

https://gist.github.com/yuriy77k/17e5525da7b4e33e0e475ab13469ce1a

https://gist.github.com/yuriy77k/207a417f8ec02ea21577eb7fef16d06d

https://gist.github.com/yuriy77k/ea60b757433f37354aa112c2cbf1b416

5.1. Notes about RideSolo report

3.1. Frozen ETH is not a high severity security issue. No need to withdraw contract balance it used for trading. To withdraw ETH, the owner can set token price in contract balance and sell it, as a last resort. it's owner privileges.