This document is a security audit report performed by RideSolo, where CRYPTONITY Project has been reviewed.
The audited contract represent the ICO phase of Cryptonity Project
- FlatCryptonityCrowdsale github commit hash bc1b8e23c9881722d594beb82ac80c5ee8319218.
- FlatCryptonityToken bc1b8e23c9881722d594beb82ac80c5ee8319218.
- FiatContract 1de589578e0b2e9f02075d548d5e5f66d927d404.
- BurnableTokenInterface.sol commit hash e13329be901ed24630f756c02e14e951de18b4de.
- CryptonityCrowdsale.sol commit hash bc1b8e23c9881722d594beb82ac80c5ee8319218.
- FiatContractInterface.sol commit hash e13329be901ed24630f756c02e14e951de18b4de.
- FiatContractMock.sol commit hash bc1b8e23c9881722d594beb82ac80c5ee8319218.
- CryptonityToken.sol commit hash e13329be901ed24630f756c02e14e951de18b4de.
5 issues were reported including:
-
1 high severity issue.
-
2 medium severity issues.
-
2 low severity issues.
At the end of the execution of the reimplemented finalization function member of CryptonityCrowdsale contract, the token address used cannot accept ownershipTransfert since the msg.sender has to be the owner address. The token contract isn't created inside CryptonityCrowdsale contract, therefore the call to finalize function will throw and the ICO will fail.
Same issue here due to duplicated contract:
Remove the the implicated code line.
The Token reward value when users decide to invest is dependent on ETH/USD rate exchange (look at FiatContract), the rate is set by the team and can be subject to manipulation (this is just a possibility where users reward can be manipulated). The users will have to trust the team to input the right rate, this can be a decisive point for both users safe investments and the project fund raising where it can have a positive or a negative impact for both sides (dev/investors).
Same issue here due to duplicated contract:
A fully automated crowdsale phase, without external interaction can help investors to trust the ICO.
The value returned by goalreached function depend on an external factors manually set by the team (ETH/USD rate), following the high volatility of the crypto markets the results of such function can be highly random. The possible errors are the following:
- If ETH/USD rate changes and the team update the rate after the finalization of the Crowdsale phase,
withdrawTokens()call may fail since it requiresgoalReachedto returntrue. - The opposite is also true if the crowdsale goal isn't reached and finilized, if the rate change later the
claimRefund()(member of OpenZepplin contracts framework) call may fail since it requiresgoalReachedto returnfalse.
Same issue here due to duplicated contract:
FlatCryptonityCrowdsale and FlatCryptonityToken contracts have "pragma solidity ^0.4.13;" but "constructor" keyword is available from 0.4.23 version.
CryptonityCrowdsale.sol file does not compile when using the current OpenZeppling framework version, throwing an error (Linearization of Inheritance Graph Impossible) this is due to recent framework update.
The project developer should include the OpenZeppling framework contracts version that have been used within CryptonityCrowdsale.sol development phase, allowing the auditors to correctly audit the project. However the flatcontracts folder was used to solve this issue.
This ICO is not safe to be deployed, the developers should update the code following the above highlighted security issues.