search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

cryptomillions.io v.2. #376

Closed carlossampol closed 5 years ago

carlossampol commented 5 years ago

Audit request

Create ERC20 CPM1, it has the functionality to transfer, transfer from and burn tokens,

Source code

https://github.com/cryptomillionsofficial/CREATE_ERC20_CPM1_V2/

Disclosure policy

mike@cryptomillions.io

Platform

Ethereum

Number of lines:

146 (73 points for reaudit https://github.com/EthereumCommonwealth/Auditing/issues/362#issuecomment-524542215)

MrCrambo commented 5 years ago

Auditing time is 1 day

MrCrambo commented 5 years ago

My report is finished

yuriy77k commented 5 years ago

@MrCrambo assigned

danbogd commented 5 years ago

Auditing time is 1 day.

danbogd commented 5 years ago

My report is finished.

yuriy77k commented 5 years ago

@danbogd assigned

RideSolo commented 5 years ago

Auditing time: 1 day

yuriy77k commented 5 years ago

@RideSolo assigned

yuriy77k commented 5 years ago

Cryptomillions.io V2 Security Audit Report

1. Summary

Cryptomillions.io V2 smart contract security audit report performed by Callisto Security Audit Department

Symbol       : CPM-1
Name         : Cryptomillions Series 1
Capped supply: 600,000,000
Decimals     : 8 
Standard     : ERC20

2. In scope

3. Findings

In total, 3 issues were reported including:

No critical security issues were found.

3.1. Allowance Decrease

Severity: low

Description

The value to be substructed is decreased using safemath sub function meaning that if the value is higher than the remaining allowance the transaction will throw when it could be set to zero instead. multiple scenario can be imagined for the end user.

Code snippet

https://github.com/cryptomillionsofficial/CREATE_ERC20_CPM1_V2/blob/master/ERC20_CPM1_Token_v2.sol#L120#L123

Recommendation

Check if the allowance is lower than the value to be substracted and set the allowance to zero if the condition is met.

3.2. Extra requirement

Severity: low

Description

The following extra requirement is added to _transfer, require(_to != address(msg.sender)), the requirement might cause a compatibility issue especialy if there is any logic implemented in a contract like a batch payment where the msg.sender address will receive some tokens (please not that no reason comme to mind to add such requirement).

Code snippet

https://github.com/cryptomillionsofficial/CREATE_ERC20_CPM1_V2/blob/master/ERC20_CPM1_Token_v2.sol#L103

3.3. Known vulnerabilities of ERC-20 token

Severity: low

Description

It is possible to double withdrawal attack. More details here

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/025c8634e2e6a1ee7c6e0c7d667e3724

https://gist.github.com/yuriy77k/1fef9bf4d38fbbc5a618ac35a1177cd9

https://gist.github.com/yuriy77k/f32936670f6b6406540b9cdec5e10263