This document is a security audit report performed by RideSolo, where Jointer Token has been reviewed.
- ERC20.sol github commit hash f86d15275b7a902c839a8ae45d959549dda09df1.
- MultiOwnable.sol github commit hash f86d15275b7a902c839a8ae45d959549dda09df1.
- Ownable.sol github commit hash f86d15275b7a902c839a8ae45d959549dda09df1.
- SafeMath.sol github commit hash f86d15275b7a902c839a8ae45d959549dda09df1.
- StandardToken.sol github commit hash 35c2f9ba264ac722e8c57966ca820e8dc6b93fb0.
- Token.sol github commit hash 35c2f9ba264ac722e8c57966ca820e8dc6b93fb0.
- TokenUtil.sol github commit hash f86d15275b7a902c839a8ae45d959549dda09df1.
- WhiteList.sol github commit hash 095929d0b080ec9541f7847487e8363fb251446b.
- github commit hash .
11 issues were reported including:
- 2 high severity issues.
- 1 medium severity issues.
- 2 low severity issues.
- 4 Owner privileges.
- 2 notes.
Following the document provided, as example "If Investors purchase through third party exchanges like, national stock exchanges, tZero, and other exchanges should be able to check and update the whitelist through a secure API"; however, any address added to the whitlist will be able to add other addresses following the logic implemented in addMoreWallets
function addMoreWallets(address _which) public returns (bool){
require(address_belongs[_which] == address(0));
address sender = msg.sender;
address primaryAddress = address_belongs[sender];
require(is_whiteListed[primaryAddress]);
address_belongs[_which] = primaryAddress;
emit WalletAdded(primaryAddress,_which);
return true;
}
address_belongs[_which] is always set to primaryAddress, meaning that the require(is_whiteListed[primaryAddress]) will never throw, since address_belongs[_which] is always set to the first address that was whitlisted by the owner using addNewWallet. The result of such implementation is that any address will be able to whitlist other addresses recursively.
The contract function description state that "once user whiltelisted it can add more address itself", but even addresses not listed in is_whiteListed mapping will be able to add other addresses, since whitelisting allow to manage KYC user onchain, this issue can have a bad legal impact on the project.
Developers should re-think the function logic.
When owners enforce user token swap using forceSwapWallet, token.swapForToken is called using balances[_address] parameter but user balance was previously burned through and set to zero _burn(_address,balances[_address]) meaning that his balance is equal to zero, the swap will occure with zero value, user balance should be saved first in a memory variable then burned and the the newly created variable assigned for swap.
setCansent function member of WhiteList is setting recive_block instead of sent_block, where canSentToken is checking sent_block.
systemAddressis set inside the constructor, but the input variable is not checked.
In [acceptSystemAddressOwnership][https://github.com/ridesoloAudit/JntrToken/blob/35c2f9ba264ac722e8c57966ca820e8dc6b93fb0/MultiOwnable.sol#L89), systemAddress is set to msg.sender. Even if msg.sender is equal to systemAddressAllowed, msg.sender should be replaced by systemAddressAllowed for better logic understanding.
Doc parsing errors are raised for addMoreWallets and setCansent since the documention to be generated contains invalid parameters name _address and _recive that should be replaced with _which and sent.
- Owner can block a use from receiving tokens using
setCanRecive. - If issue
Send Restrictionis solved, the owner will be able to block a use from sending tokens usingsetCanRecive. forceSwapWalletallow the owner to force user address balance swap.- Owner can change whitlist address and util address.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
The audited contracts aren't safe for deployement.