Skip to content

Instantly share code, notes, and snippets.

@RideSolo

RideSolo/ETH_ucoin_report.md

Created September 6, 2019 01:34
Show Gist options
  • Save RideSolo/b154933c0c1cff28a21a43a59f41d0c2 to your computer and use it in GitHub Desktop.
Save RideSolo/b154933c0c1cff28a21a43a59f41d0c2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ETH_ucoin_report.md

UCOIN Audit Report.

1. Summary

This document is a security audit report performed by RideSolo, where UCOIN has been reviewed.

Symbol       : UCOIN
Name         : Universal Coin
Capped supply: 5,000,000,000
Decimals     : 8 
Standard     : ERC20

2. In scope

3. Findings

9 issues were reported including:

  • 2 high severity issue.
  • 2 medium severity issues.
  • 2 low severity issues.
  • 3 owner privileges

3.1. Frozen ETH

Severity: High

Description

The contract contains a token buy and sell functions if the buying price and the selling price is different, then functions to withdraw or to deposit ether should be implmented inside the contract (please note that no such functions are implemented).

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L233#L24

3.2. Buy/Sell

Severity: High

Description

The buy and sell price is set by two variables that do not contain nominator and denominator information, meaning that for example the sell price set to a minimum will be 1 wei making the price of 1 token that is sold to the contract equal to 1 ether since the decimals are equal to 18.

Developers should be aware that this will not give them any flexibility to set the token sell and buy prices, meaning that the buy price for 1 token should be higher than 1 ether (please note that following this logic more than 5 billions ether are needed to buy all the tokens buy the investors).

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L233#L24

3.3. ERC20 Compliance

Severity: medium

Description

transfer does not return a boolean as described in EIP20 (please note that transferFrom is correctly implemented).

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/65f85924bbd88e4edca573ca6dcf4688cc1f0394/UCOIN_Smart_Contract.sol#L90#L93

3.4. Minting Overflow

Severity: medium

Description

Mint function does not use safeMath library or any other logic to prevent overflow.

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L211#L212

3.5. Transfer Event

Severity: low

Description

The transfer event is not emitted when allocating to total supply inside the constructor.

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L50#L59

3.6. Owner privileges

Severity: medium

Description

  • Owner can mint unlimited amount of tokens, even if the total supply is already set in the constructor.

  • Owner can freeze/unfreeze users wallets without restrictions.

  • Owner can change the token buys/sell price at any moment.

Code snippet

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L210#L215

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L220#L223

https://github.com/ucoincurrency/UCOIN/blob/master/UCOIN_Smart_Contract.sol#L228#L231

3.7. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here
  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

4. Conclusion

The contract must not be deployed before fixing all issues and reaudit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment