Skip to content

Instantly share code, notes, and snippets.

@MrCrambo

MrCrambo/Gigzi_audit_report.md Secret

Last active June 24, 2018 15:12
Show Gist options
  • Save MrCrambo/422384ecf5a215be81bad6c9b5c2b605 to your computer and use it in GitHub Desktop.
Save MrCrambo/422384ecf5a215be81bad6c9b5c2b605 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Gigzi_audit_report.md

Gigzi audit report.

Summary

This is the report from a security audit performed on Gigzi by Il Kadyrov.

The audit focused primarily on the security of Gigzi contracts.

In scope

  1. https://github.com/GigziProject/GigziContracts/blob/master/contracts/FeeableToken.sol
  2. https://github.com/GigziProject/GigziContracts/blob/master/contracts/GigBlack.sol
  3. https://github.com/GigziProject/GigziContracts/blob/master/contracts/GigCrowdsale.sol
  4. https://github.com/GigziProject/GigziContracts/blob/master/contracts/GigGold.sol
  5. https://github.com/GigziProject/GigziContracts/blob/master/contracts/GigPlatinum.sol
  6. https://github.com/GigziProject/GigziContracts/blob/master/contracts/GigSilver.sol
  7. https://github.com/GigziProject/GigziContracts/blob/master/contracts/Migrations.sol
  8. https://github.com/GigziProject/GigziContracts/blob/master/contracts/helper/MessageHelper.sol

Findings

In total, 6 issues were reported including:

  • 2 high severity issues.

  • 2 medium severity issues.

  • 1 low severity issues.

  • 1 minor observation.

Security issues

1. Wrong calculation of reward in GigBlack.sol.

Severity: high

Description

Account reward calculated as balance multiplied to reward time in millis (lines 147, 189). It's a very large number, because we multiply on millis. And after a long period accounts' balance will be more than totalSupply.

Recommendation

Need to rewrite logic

2. Function getAccountReward in GigBlack.sol will calculate not with percent.

Severity: high

Description

In comment before function written that rewards will calculated in percent(line 130). But it calculated as balance multiplied to time difference between last reward calculation and now

Recommendation

Need to rewrite logic.

3. Modifier restricted will not work Migrations.sol.

Severity: medium

Description

Modifier restricted(line 8) will not work correctly, it will pass if msg.sender not owner too.

Recommendation

Rewrite restricted modifier.

modifier restricted() {
  require(msg.sender == owner);
  _;
}

4. Use SafeMath in all operations GigBlack.sol.

Severity: medium

Description

Not in all operations there used SafeMath, for example lines: 97, 147, 150, 189.

Recommendation

Need to use SafeMath in all operations for protecting yourself from over- or under- flow.

5. Old solidity version.

Severity: low

Description

Used solidity version is old.

Recommendation

Need to use one of the latest version of solidity.

6. Need to delete TODOs in GigBlack.sol.

Severity: not a security issue

Description

Left TODO comments in code. Lines 114, 205, 206

Recommendation

Need to remove all TODO comments or to finish your code.

Specification

This smart contract has some high severity vulnerabilities.

Any further changes to the contracts will leave them in unaudited state.

Conclusion

Two high severity vulnerabilities were detected. The reported issues can directly hurt the Gigzi smart contracts.

You need to fix all high severity issues and we highly recommend you to complete other bug bounty before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment