Skip to content

Instantly share code, notes, and snippets.

@yuriy77k

yuriy77k/TokenTrader_conclusion.md

Created July 27, 2018 20:21
Show Gist options
  • Save yuriy77k/854eabd03a050e0bf5860682c25cbb19 to your computer and use it in GitHub Desktop.
Save yuriy77k/854eabd03a050e0bf5860682c25cbb19 to your computer and use it in GitHub Desktop.
Download ZIP
TokenTrader conclusion.
Raw
TokenTrader_conclusion.md

TokenTrader Smart Contract security audit report performed by Callisto Security Audit Department

Conclusion:

No critical issue, bug fixing is necessary. It is highly recommended to complete a bug bounty before use.

Medium severity issues:

Low severity issues:

  • The modifier onlyOwnerOrTokenTraderWithSameOwner allows attacker to run function code if it calls form smart contract with '''owner''' variable equal to real owner address. In this contract it can not cause a loss of customers funds or a breach of contracts operability, but you need to be aware of this in future use.

  • Overflowing is possible if Maker (seller) set UNREAL HIGH sellPrice.

Revealing audit reports:

https://gist.github.com/RideSolo/4b821749ceadf855cb3cb1ca2d21b8bf

https://gist.github.com/gorbunovperm/1872ef525c6f4a03a5014e77e53dafaf

https://gist.github.com/MrCrambo/0a0f088ccf2b2101ea7e39bc010f7d3c

https://gist.github.com/alexo18/6ba63ad2ac5e5c942bb8157e3015cc41

@RideSolo

Notes regarding the https://gist.github.com/yuriy77k/41d0c22e8443e649e6257a7dbb331cc4 report.

When you specify a commit hash, it's better to specify a hash for each file, not for the tree. For example TokenSellerFactory.sol github commit hash 376cdb1feccc4fb613daff9d6b0130b70cc942ce or short 376cdb1.

Your report is fine.

@gorbunovperm

Notes regarding the https://gist.github.com/yuriy77k/ceaf6eced543789c06bf12a387c1eae5 report.

  • Double spending attack is possible only in TestERC20Token.sol which "For TESTING ONLY on Testnet or Dev blockchain.". So it may has some bugs.

  • Overflowing is possible only if market maker (seller) set UNREAL HIGH sellPrice. For example, current Ethereum supply less then 2^24 (or less then 2^78 in Wei), so sellPrice higher then 2^200 only can be set specially for overflowing. I think it has low severity.

  • In other places overflowing is not possible.

@MrCrambo

Notes regarding the report.

Your report is fine.

@alexo18

Notes regarding the https://gist.github.com/yuriy77k/c3a9846a95662e0cfb93f4864ebe3160 report.

  • Risk of incorrect implementation ERC20 standards functions is equal a risk of fraud asset. We assume that buyer and seller knows operation asset. Not a security issue.

  • The modifier onlyOwnerOrTokenTraderWithSameOwner usage in this contract can not cause a loss of customers funds or a breach of contracts operability so it has low severity.

Your report is fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment