search

EthereumCommonwealth / Auditing

Ethereum Commonwealth Security Department conducted over 400 security audits since 2018. Not even a single contract that we audited was hacked. You can access our audit reports in the ISSUES of this repo. We are accepting new audit requests.
https://audits.callisto.network/
GNU General Public License v3.0
131 stars 34 forks source link

SMART token and DAO #513

Closed yuriy77k closed 3 years ago

yuriy77k commented 3 years ago

Audit request

BEP20 token and voting contract

Source code

https://github.com/jointerinc/smartToken/tree/main/contracts

Disclosure policy

... Do you want us to publish the report as it is or to notify you privately in case of finding critical mistakes? ...

... provide your conditions for publishing the report or leave only standard disclosure policy link ...

Standard disclosure policy.

Contact information (optional)

... Provide information to contact you or the smart contract-developer in case high severity issues will be found ...

... Provide information about the media resources of the project you want us to audit (website/ twitter account/ reddit/ telegram channel/ etc.) ...

Platform

... In which network will your contract be deployed?

BSC

yuriy77k commented 3 years ago

Security Audit Report

1. Summary

SMART token and DAO smart contract security audit report performed by Callisto Security Audit Department

2. In scope

Commit hash: 36eaed2c06e22ca775be758e56e37758f6749238

https://github.com/jointerinc/smartToken/tree/36eaed2c06e22ca775be758e56e37758f6749238

3. Findings

In total, 6 issues were reported including:

No critical security issues were found.

3.1. An airdrop recipient can be undeservedly rewarded

Severity: low

Description

The reward depends on the duration of staking and on the amount of staking tokens. In the common case when the balance increases then reward is paid and staking starts again with the updated balance and resets staking period.

But in the case of airdrop, there is no staking period reset. This means that the staking start date remains the old one. And if the user stored even minimal funds without moving, for example, for a year, then when receiving an airdrop, in the next block, he can receive an annual reward for stacking the airdrop.

Code Snippet

3.2 The user may be locked for more than the required amount of tokens

Severity: low

Description

If there are several airdrops for different amounts then the users who received a smaller quantity of tokens should unlock the account for a doubled amount of the last airdrop.

For example, there are two airdrops of 1 Smart and 3 Smarts for different users. Then users who received 1 Smart should have 6 Smarts(instead of 2 Smarts) to unlock their account.

In addition, blocking the account restricts the user. Not everyone will want to get a lock on their old funds, even for getting an airdrop. Perhaps you should only block an airdrop amount, not all user funds.

Code snippet

3.3. Owner privileges

Severity: owner privileges

Description

1) Owner can block transfers of any user for any duration. 1 2

2) Owner can mint any amount of token for any address. link

3.4. Known vulnerabilities of BSC-20 token

Severity: low

Description

3.5. Funds can be accidentally sent to a zero address

Severity: low

Description

There is no check for an empty input value of _to parameter in transferFund function. It may be empty by mistake and funds will be lost. The owner can lose both erc-20 tokens and ether.

Code Snippet

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/gorbunovperm/f054bca582994a9b23ca940117b8d122

https://gist.github.com/gorbunovperm/7ebb07e6aaf8cc0af9490a4984cebb1c

5.1. Note about the revealed report

The issue An airdrop recipient can be undeservedly rewarded has low severity since airdrop will be done only to address with zero balance. Even in case if airdrop come to address with some tokens, the amount of airdrop is small enough to give user significant profit.