This document is a security audit report performed by RideSolo, where FriendsFingers has been reviewed.
- FriendsFingersBuilder.sol github commit hash a5905720f22ccb643e295ce9c1ee868407c0cc6e.
- FriendsFingersCrowdsale.sol github commit hash d2fd56163eb87493b6fc367b8c89a21295322361.
- FriendsFingersToken.sol github commit hash 8149bc64ec430f8066f3d3f48688b10f58f1b3cf.
- ContractReceiverImpl.sol github commit hash ce4d887429f563728b81648714fcc416ee53c656.
- ContractReceiverInterface.sol github commit hash ce4d887429f563728b81648714fcc416ee53c656.
- SafeContract.sol github commit hash ce4d887429f563728b81648714fcc416ee53c656.
5 issues was reported:
- 1 Criticall severity issue.
- 2 Low severity issues.
- 3 Owner Privileges.
closeCrowdsale function member of FriendsFingersBuilder designed to finalize the crowdsale is only accessible by owner or the crowdsale creator, however finalize function member of FriendsFingersCrowdsale is public.
If any attacker calls finalize directly and all the condition to finalize the crowdsale are met, FriendsFingersBuilder's function closeCrowdsale won't execute since it calls finalize function that will throw since it was previously called. This will leave the token contract in a minting state since finishMinting can't be called anymore.
The Token contract is designed to block all transfers untill mintingFinished is set to true, meaning that an attacker can block the newly deployed token transfers for all users and makes the ICO fail.
The fallback function is used to donate ether to the project, however it can be missused by users. Developers should create a dedicated function for deposit with a unique name.
FriendsFingers dapp is a tool for entrepreneur to deploy ICO without the need to deploy a dapp or develope it by themselves, however people using FriendsFingers should be aware that they have no control over the ICO, everything has to handled through FriendsFingers owner.
- Pause/Unpause
claimRefund,buyTokensandfinalizewhitout any restriction usingpauseCrowdsale/unpauseCrowdsale(please not that for example pausingfinalizewill allow FriendsFingers owner to possibly withdraw the fund collected by the ICO that does not belongs to them in anyway usingsafeWithdrawalorsetExpiredAndWithdrawafter a year from the end of the ICO) . - Block a crowdsale without permission from the ICO creator using
blockCrowdsaleand allow the users to withdraw their ether supposing that no action were taken by FriendsFingers to withdraw the investors fund. - FriendsFinger's owner can change the rate applied to the ICO at any moment using
setFriendsFingersRateForCrowdsaleorsetDefaultFriendsFingersRate.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
The audit contracts are not safe because of critical severity issue. Users intending to deploy their ICO through FriendsFingers Dapp should be aware that they won't be in charge of the ICO main mechanism leaving them without any privilege.
ICOs process should be completely automated without any external intervetion to gain the trust of the investors.