This document is a security audit report performed by RideSolo, where multiple smart contracts have been reviewed.
The audited smart contracts allow users to create ICO with five stages crowdsale with a custom ERC20 compatible token contract.
- Crowdsale.sol github commit hash b0bf48ad75c6767d03acaf1e62b82af34901872d
- ERC20Token.sol github commit hash b0bf48ad75c6767d03acaf1e62b82af34901872d
- Ownable.sol github commit hash b0bf48ad75c6767d03acaf1e62b82af34901872d
- SafeMath.sol github commit hash b0bf48ad75c6767d03acaf1e62b82af34901872d
- ERC20Interface.sol This is the ERC20 Token Standard Interface defined by the ethereum community.
5 issues were reported including:
-
1 high severity issues.
-
1 medium severity issues.
-
1 low severity issues.
-
2 minor remarks.
The function totalSupply member of ERC20Token contract, return balances[address(0)] substracted from _totalSupply, address(0) is probably used to burn tokens for deflationary purpose by sending tokens using transfer or transferFrom to address(0) since this two functions doesn't prevent sending token to address(0).
This logic can be a risk for users since they can by mistake send tokens to it.
-
Implement a dedicated burn function to avoid a possible user mistake.
-
Add
require(tokenReceiver!=address(0))totransferandtransferFromto prevent users from sending tokens toaddress(0).
transfer and transferFrom members of ERC20Tokencontract allow users to send tokens to contract addresses. If the contract isn't ERC20 compatible the tokens can be lost. However the contract ERC20Token implement approveAndCall to be used with contracts who implement receiveApproval function but this does not prevent from users mistakes while calling transfer and transferFrom.
This is a well known issue of ERC20 token.
minAmount and maxAmount members of Crowdsale contract reresent the min and max transacation value to be sent to the crowdsale contract not the investment limit per individual or address as commented. The transactions will revert if the user buy more or less than the limits. any user can make a new transaction to buy more tokens.
ERC20Token contract is a token compatible with ERC20 standard but with more functionalities. The contract name can lead users to confusion.
_postValidatePurchase and _updatePurchasingState members of Crowdsale contract are empty functions and yet they are called in buyTokens function.
The reviewed contracts contain issues with diffrent security level severity that need to be fixed. The actual version of the contracts may cause users tokens loss, the issues need to be fixed before deployment in live network.