Open pit-coin opened 4 years ago
gitcoinbot
commented
4 years ago Issue Status: 1. Open 2. Started 3. Submitted 4. Done
This issue now has a funding of 0.1 ETH (24.64 USD @ $246.37/ETH) attached to it.
gitcoinbot
commented
4 years ago Issue Status: 1. Open 2. Started 3. Submitted 4. Done
Work has been started.
These users each claimed they can complete the work by 266 years, 3 months from now. Please review their action plans below:
1) l-kh has started work.
I can do an automatic scan for your contract. 2) nightwolf3 has started work.
I've been a blockchain dev for about two years and would love to help you debug the contract 3) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 4) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 5) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 6) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 7) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 8) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 9) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 10) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 11) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 12) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 13) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 14) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 15) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 16) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 17) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 18) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 19) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 20) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 21) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 22) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 23) abdel-az has started work.
I am enthousiaste in blockchain and i am interessed to this challenge 24) srisankethu has started work.
I have found some issues in the contract 25) ashish10677 has started work.
I'll go through the code thoroughly and then try to run it locally and check for issues. 26) surajsingla333 has started work.
I have good experience in smart contract development and debugging and will be able to do a thorough analysis. 27) cryptaldev has started work.
trying to break ERC20 contract and siphon finds 28) barryjo has started work.
recently started working on defi space and have good knowledge of ERC standards 29) cryptoicarus has started work.
Reviewing code and will attempt to exploit bug on testnet 30) jordan69420 has started work.
I'll review your code, and see if it has any technical or legal problems
Learn more on the Gitcoin Issue Details page.
L-KH
commented
4 years ago I am not that good to detect hidden bugs. and this rapport is what I get after using MythX dev plan. HIGH-SWC-101 | The arithmetic operation can underflow. line 47 & line 40
description: It is possible to cause an arithmetic overflow. Prevent the overflow by constraining inputs using the require() statement or use the OpenZeppelin SafeMath library for integer arithmetic operations. Refer to the transaction trace generated for this issue to reproduce the overflow.
Instructions to reproduce the vulnerability of line 40(Test Case 1)
You can check JSON file that I export from MythX: MythXDevScan.zip
hope it was helpful to you.
srisankethu
commented
4 years ago gitcoinbot
commented
4 years ago Issue Status: 1. Open 2. Started 3. Submitted 4. Done
Work for 0.1 ETH (24.38 USD @ $243.78/ETH) has been submitted by:
@pit-coin please take a look at the submitted work:
srisankethu
commented
4 years ago @pit-coin I made a comment on 2 issues I saw
pit-coin
commented
4 years ago @srisankethu
assert. I use require in sub because it checks for valid input.
CryptoIcarus
commented
4 years ago There are a few issues I was able to find.
Recommend making the contract owned and the clean() function onlyowner, currently anyone can withdraw any token from contract
In buy function use if statements instead of require. Using require will result in unnecessary errors.
function buy(address _ref) public payable {
// w*pr = T + T*ppt/m - P + R
// with ref
// in*pr = t + f + r
// (w + in)*pr = T+t + (T+t)*(ppt + f*m/T)/m - (P + t*(ppt + f*m/T)/m) + (R + r)
// no ref
// in*pr = t + f
// (w + in)*pr = T+t + (T+t)*(ppt + f*m/T)/m - (P + t*(ppt + f*m/T)/m) + R
// first
// in*pr = t
// (w + in)*pr = T+t + (T+t)*ppt/m - (P + t*ppt/m) + R
uint256 tokens = msg.value.mul(price);
uint256 fee = tokens.div(10);
tokens = tokens.sub(fee);
_ref = _ref != msg.sender ? _ref : address(0);
if (_ref != address(0) && balanceOf[_ref] >= refRequirement) {
uint256 refBonus = fee.mul(3).div(10);
fee = fee.sub(refBonus);
refDividendsOf[_ref] = refDividendsOf[_ref].add(refBonus);
}
uint256 increaseProfitPerToken = 0;
if (totalSupply != 0) {
increaseProfitPerToken = fee.mul(multiplicator).div(totalSupply);
profitPerToken = profitPerToken.add(increaseProfitPerToken);
} else {
tokens = tokens.add(fee);
}
balanceOf[msg.sender] = balanceOf[msg.sender].add(tokens);
totalSupply = totalSupply.add(tokens);
emit Transfer(address(0), msg.sender, tokens);
uint256 payout = tokens.mul(profitPerToken).div(multiplicator);
payoutsOf[msg.sender] = payoutsOf[msg.sender].signedAdd(payout);
emit Buy(msg.sender, _ref, tokens, increaseProfitPerToken);
}Either add:
require(_tokens >= 10)or add/change:
require(_tokens > 0);
uint256 fee = _tokens >=10 ? _tokens.div(10) : 1;@CryptoIcarus, I appreciate a lot what you have done!
CryptoIcarus
commented
4 years ago @CryptoIcarus, I appreciate a lot what you have done!
- The idea is that the contract does not have an owner at all, so, yes, anyone can withdraw tokens sent to this contract by mistake, for advertising or else.
- This is incorrect input or an attempt to cheat, i think, so it log an error.
- Yes, it is possible. I suppose no one would do this because the fee is greater than expected profit. I consider this as an improvement, not as a bug.
Example 1: The code below throws an error if the balance of the refer is too small. However it should not be the job of the user who is buying to check the balance of the refer address every time. E.g. User 1 buys tokens once with user 2's ref link and it works. Then user 2 sells tokens and no longer meets balance requirements. User 1 now tries to buy tokens again using the ref link and it fails. They would see this on their end as a bug and not know how to fix the issue.
require(balanceOf[_ref] >= refRequirement, "small balance");
Example 2: This could be an attempt at cheating but could also be a simple user error. I assume that users are sharing ref links and not manually entering refer addresses. E.g. User 1 buys tokens. User 1 creates a ref link to share with user 2. User 1 then wants to buy more tokens, however they may have bookmarked their own ref link or they have visited the site more times with the ref link and their browser autocompletes to the ref link. Again the transaction fails and the end user would not understand why.
require(_ref != msg.sender, "_ref is sender");
These are not hypothetical examples. I have personally written contracts before that include refer functions and users very often submit addresses that do not meet requirements unknowingly. Most users do not have the knowledge to go look on etherscan and check what the error was. Read the code and figure out how to remedy the situation.
gitcoinbot
commented
3 years ago Issue Status: 1. Open 2. Started 3. Submitted 4. Done
The funding of 0.1 ETH (59.44 USD @ $594.38/ETH) attached to this issue has been approved & issued to @cryptoicarus.
Find bugs or backdoors in the ERC20 ethereum token.
Github: https://github.com/pit-coin/pit-coin.github.io/blob/master/contracts/Token.sol
Ropsten testnet: https://ropsten.etherscan.io/address/0x6342A5c056F71E7E3a6Bf89560Dc1F97210bDb51