Skip to content

Instantly share code, notes, and snippets.

@mobilipia
Last active May 27, 2019 03:53
Show Gist options
  • Save mobilipia/be72a329ccdcf58fcc5874e482a5dec3 to your computer and use it in GitHub Desktop.
Save mobilipia/be72a329ccdcf58fcc5874e482a5dec3 to your computer and use it in GitHub Desktop.

Weidex v2 Security Audit Report

1. Summary

This is an audit of the Weidex v2 smart contract. The audit focused on the vulnerability of the contract to attacks as well as ability of a third party to exploit such vulnerabilities.

2. In scope

  1. contracts/utils/LibSignatureValidator.sol
  2. contracts/exchange/ExchangeUpgradability.sol
  3. contracts/exchange/ExchangeStorage.sol
  4. contracts/exchange/ExchangeOffering.sol
  5. contracts/mocks/OldERC20.sol
  6. contracts/exchange/ExchangeBatchTrade.sol
  7. contracts/exchange/interfaces/IExchangeUpgradability.sol
  8. contracts/exchange/WeiDex.sol
  9. contracts/mocks/SimpleToken.sol
  10. contracts/mocks/SimpleOldToken.sol
  11. contracts/utils/LibOrder.sol
  12. contracts/utils/LibCrowdsale.sol
  13. contracts/exchange/ExchangeMovements.sol

3. Findings

In total, 10 issues were found including:

3.1 No check for call (High)

Description

Always assume that calls to external functions will fail. 
It is therefore necessary to check for the return value from this functions. 
It is also recommended to use the transfer function for sending ether.

Recommendation

Check the return value of functions.

Code snippet

https://gist.github.com/mobilipia/0daa8a8a2119e921455b447d91fe1af2#file-exchangebatchtrade-sol-L75-L81

3.2 Super Role (Medium)

Description

The function can only be called from one address. 
This implies total dependency on that address. 
If the address is compromised or the private key lost then investor funds may be lost forever.

Recommendation

Implement the function as the contracts constructor.

Code snippet

https://gist.github.com/mobilipia/1ac6bb4124f98893ba310aae9abf695e#file-exchangeupgradability-sol-L38-L43 https://gist.github.com/mobilipia/75ba451d440d86166d9ef9bdc05df145#file-exchangestorage-sol-L200-L212 https://gist.github.com/mobilipia/75ba451d440d86166d9ef9bdc05df145#file-exchangestorage-sol-L217-L230

4. Conclusion

The audited smart contract requires modification. Some high severity issues were found during the audit.

5. Revealing audit reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment