This document is a security audit report performed by danbogd, where Immiris has been reviewed.
Сommit hash 7d56cc3490e991d0846baa5563087c252878363d .
- OwnableSecondary.sol.
- Controller.sol.
- ImmutableEternalStorage.sol.
- ImmutableEternalStorageInterface.sol.
- Migrations.sol.
- StatementRegistery.sol.
- StatementRegisteryInterface.sol.
In total, 5 issues were reported including:
- 1 high severity issues.
- 4 low severity issues.
No critical security issues were found.
statementCountByBuildingPermit function has a while-loop to count the number of statements. This can lead to "Out of Gas" error or to "Block Gas Limit". view functions do not charge for gas, but it is still calculated to not exceed the limits. For example, for 10 statements in storage the cost of calling the function will be equal to 63998 gas. For 100 statements it will be 402116 gas. Block gas limit is about 8000000. If in storage will be more than 1600 statements — smart contract will not be workable because the call to this function is used when creating new statements in recordStatement.
Store the number of statements for each buildingPermitId to not recalculate each time.
The input address is not checked for a null value and the funds can be transferred to a 0x0-address. Code snippet
The contract owner allow himself to change the price.
The owners can implement any logic in the new contract. And even if the new contract will be audited, at any time possible to change the address of the new contract again to not audited and insecure.
When a contract is destruct from the blockchain, its bytecode is reverted to 0, but transactions made to this address are still accepted. That means that any amount transferred to the contract after its destruction is lost forever. Recommendation
A better approach is to implement a soft ending mechanism, where no function can be called and sent ether can be rejected. Take a look at the Pausable.sol from Zeppelin.
The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.