Skip to content

Instantly share code, notes, and snippets.

@alexo18

alexo18/ERC20andCrowdsale.md Secret

Last active July 13, 2018 10:24
Show Gist options
  • Save alexo18/e5558d8e863de0a139455000f86352fa to your computer and use it in GitHub Desktop.
Save alexo18/e5558d8e863de0a139455000f86352fa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ERC20andCrowdsale.md

Ethereum Classic ERC20andCrowdsale smart contract audit report.

Summary

This is the report from a security audit performed on ERC20andCrowdsale smart contract (ETH) by alexo18. The audit focused primarily on the security of funds and fault tolerance of the ERC20andCrowdsale contract. The main intention of this contract is to serve as token crowdsale system.

In scope

Crowdsale.sol
ERC20Interface.sol
ERC20Token.sol
Ownable.sol
SafeMath.sol

Findings

In total, 4 issues were reported including:

  • 3 medium severity issues.
  • 1 low severity issues.

Security issues

1. Modifier not implemented.

Severity: medium

Description

While mentioned in the comments , at the time being there is no modifier which checks following conditions :

1.From account must have sufficient balance to transfer.
2.Spender must have sufficient allowance to transfer.

Code snippet

https://github.com/SamueleA/ERC20andCrowdsale/blob/master/ERC20Token.sol#L103 https://github.com/SamueleA/ERC20andCrowdsale/blob/master/ERC20Token.sol#L71

2. Permanent wallet.

Severity: medium

Description

A mechanism to update the '_wallet' variable is not presented. In some specific circumstances there is need to replace the wallet address ,for example if current wallet being compromised .

Code snippet

https://github.com/SamueleA/ERC20andCrowdsale/blob/master/Crowdsale.sol#L87

Recommendation

Implement a mechanism to update the '_wallet' variable.

3. The 'StageLevel.END' logic is not implemented.

Severity: medium

Description

At the time being the 'StageLevel.END' logic is not implemented in the contract , so even after execution of the 'endCrowdsale' function the contract will continue to work in standard mode.

Code snippet

https://github.com/SamueleA/ERC20andCrowdsale/blob/master/Crowdsale.sol#L131

4. Both 'Crowdsale' and 'Token' contracts use same address.

Severity: low

The current design of the system requires both 'Crowdsale' and 'Token' contracts to be located at the same address, which exposes both of them in case of the address being compromised and also reduces the system flexibility.

Code snippet

https://github.com/SamueleA/ERC20andCrowdsale/blob/master/Crowdsale.sol#L165

Recommendation

Provide a mechanism which allows to locate the 'Crowdsale' and 'Token' contracts at different addresses as follows:

function addTrustedAccount(address trustedAccount) public onlyOwner returns (bool success) {
trustedAccount.push(trustedAccount);
return true;
}

function isTrustedAccount(address trustedAccount) internal returns (bool success) {
for (uint i=0; i<trustedAccount.length; i++) {
if (trustedAccount==trustedAccount[i])
return true;
}
return false;
}

Conclusion

No critical vulnerabilities were detected.The contract is safe to use after fixing aforementioned bugs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment