This document is a security audit report performed by RideSolo, where EZO Token has been reviewed.
- CurrrencyPrices.sol github commit hash f4fa76fa25f4bbfedfd278ea8569045f2d89622f.
- EZOToken.sol github commit hash ab7d1527e3ef6e45d005166311661972ab7eafb8.
- SmartSwap.sol github commit hash ab7d1527e3ef6e45d005166311661972ab7eafb8.
** 14 issues** were reported including:
- 3 high severity issues.
- 3 medium severity issues.
- 2 low severity issues.
- 4 Owner privileges.
- 2 notes.
When a user call tranfer
function to take an order deposited through sendToken
:
- The computed
_valueCal
of EZO tokens to be sent to the order maker is wrong since the value should be equal to the amount of the currency sent multiplied by the currency price then divided by the price of EZO in usd. Multiple errors can be seen,safeDivv
is used instead ofsafeDiv
which will divide the result of the multiplication by1 ether
instead of the ezo price in USD.- Supposing if the division operation is correct the value used to divide is
100
but the price of EZO tokens can be changed by the owner usingsetEZOTokenPriceUSD
, meaning that100
should be replaced byezoTokenPriceUSD
.
- The
condition
used to check if the value requested by the function caller is uncorrect, the condition should be as followif(_valueCal > _value) { /* do processing */}
to avoid extra computation if both values are equal. - The
returnAmount
computation is incorrect it should be the difference in USD multiplied by the 10 power the currency decimals then divided by the currency price in USD. sentAmount
should be the_valueCal
in EZO multiplied by EZO token price in USD devided by the currency price in usd, while taking the decimals into account, node of the described steps where taken into account.
When cancelling an order generalFundAssign
is used to refund the user tokens or ether, if the deposited tokens through sendToken
are EZOs, instead of sending the tokens back to the user using assignTokens
with the sender
address equal to the EZO contract address, the developers used mint
function which will create new tokens. The deposited EZO tokens will be frozen inside the contract making the token supply higher, an attacker can repeatedly deposit/cancel to make the total supply higher just to hurt the project. Please note that no max cap is setting when minting.
When using smart swap contract deposit through sendEther
or sendToken
an order is automatically added (addOrder
) and fullfilled (generalFundAssign
, generalFundAssignEZO
)if the wanted currency balance in the smartswap contract is higher than what the user is requesting and the deposited currency is ezo tokens, check [here]](https://github.com/ridesoloAudit/ezo-token/blob/e1284e5f8dd773ae9973b0fad3244efac9180513/ezotoken/contracts/SmartSwap.sol#L220#L225).
A user that deposited tokens or ether previously might not be able to withdraw his deposit since it can be swapped with other users deposit that deposited ezo tokens even if his wanted currency and sent currency are different than ezo tokens, check here
Users that deposit tokens to swap them agains EZO will be automatically accredited newly minted tokens to their account, the deposited tokens will be kept inside the contract, check here
This logic need a balanced deposit between all tokens otherwise some users orders might not be fullfilled and and their deposit might be spent, blocking them from using cancelOrder
.
The following conversion operation might be wrong, since the token decimals are not taken into account directly inside the code, the token decimals value can be integrated with the price in usd however we cannot confirm (this issue should be confirmed with the developers)
- https://github.com/ridesoloAudit/ezo-token/blob/e1284e5f8dd773ae9973b0fad3244efac9180513/ezotoken/contracts/SmartSwap.sol#L219
- https://github.com/ridesoloAudit/ezo-token/blob/e1284e5f8dd773ae9973b0fad3244efac9180513/ezotoken/contracts/SmartSwap.sol#L221
- https://github.com/ridesoloAudit/ezo-token/blob/e1284e5f8dd773ae9973b0fad3244efac9180513/ezotoken/contracts/SmartSwap.sol#L242
- https://github.com/ridesoloAudit/ezo-token/blob/e1284e5f8dd773ae9973b0fad3244efac9180513/ezotoken/contracts/SmartSwap.sol#L266
The owner is responsible of setting the tokens prices using setCurrencyPriceUSD
however it is not possible to set all the tokens that exist on the blockchain, meaning that the tokens addresses not set by the owner should not be allowed for deposit using sendToken
. This will just constrain the users to cancel their order or give a bad user experience to other users if they want to take that order using transfer
since the transaction will just throw because of deviding by zero.
Depending on the intention of the developers, the transfer function is not ERC20 compatible and users won't be able to transfer EZO tokens following the normal ERC20 rules.
To create the uniqueId needed in the contract logic, the developers can use a hashing function with a pack of some unique variables that cannot be recreated twice and save the value
and sender
variables in a mapping.
setCurrencyPriceUSD
function role is to set the tokes reference value, _currency
and _price
arrays should be of equal length, a require must be added to check that condition.
Naming on SafeMath
library is leading to confusion when using safeMull
, safeMul
, safeDiv
and safeDivv
making the code readability more complex and prone to errors.
When depositing ether or tokens a new PurchaseData
contract is deployed making the transaction cost more expensive and not optimized.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Please note that most function marked with "onlyOwner" can either remove trust that the blockchain technology enforce between users and developers or can be hacked in case if the private key is stolen.
setCurrencyPriceUSD
allow the contract owner to set any currency value, instead decentralized oracle can be used such as "chainlink".- Owner can whitlist any address allowing it to
burn
andmint
tokens from any address usingaddAllowedAddress
- Owner can change EZO token price using setEZOTokenPriceUSD
- Owner can
updateTxStatus
and block the user fund for a specific transaction.
The audited contract are unsafe and should not be deployed.