ERC20andCrowdsale contract audit report

ETC_ETH_ERC20andCrowdsale_audit_report.md

Ethereum Classic ERC20andCrowdsale audit report

Summary

This is the report from a security audit performed on ERC20andCrowdsale by gorbunovperm.

ERC20andCrowdsale alow to create ERC20 token and sale it at five stages with a different rate of exchange at each stage.

In scope

1. Crowdsale.sol
2. ERC20Interface.sol
3. ERC20Token.sol
4. Ownable.sol
5. SafeMath.sol

Findings

In total, 6 issues were reported including:

• 1 high severity issue.

• 0 medium severity issues.

• 4 low severity issues.

• 1 minor observations.

Security issues

Issues for ERC20Token.sol

1. It is recommended to add condition to check an empty recipient address for transfer.

Severity: low

Code snippet

function transfer(address to, uint tokens) public returns (bool success) {
    balances[msg.sender] = balances[msg.sender].sub(tokens);
    balances[to] = balances[to].add(tokens);
    // ...
}

function transferFrom(address from, address to, uint tokens) public returns (bool success) {
    balances[from] = balances[from].sub(tokens);
    allowed[from][msg.sender] = allowed[from][msg.sender].sub(tokens);
    balances[to] = balances[to].add(tokens);
    // ...
}

Description

In some cases it is possible to send funds to an empty address.

Recommendation

Add require(to != address(0)); condition in the begining of the function.

2. Double-spend attack is possible.

Severity: high

Code snippet

function approve(address spender, uint tokens) public returns (bool success) {
    allowed[msg.sender][spender] = tokens;
    Approval(msg.sender, spender, tokens);
    return true;
}

Description

In case the user wants to change the approved amount an double-spend attack is possible.

Recommendation

Look at here.

3. It is recommended to use the SafeMath library to avoid overflowing.

Severity: minor observation

Code snippet

function inflate(uint percent) public onlyOwner {
    // ...
    _totalSupply += addedTokens;
    // ...
}

Description

Theoretically, the variable _totalSupply can be overflowed. This is not a danger in this case but it is better to fix it.

Recommendation

Use _totalSupply = _totalSupply.add(addedTokens); instead _totalSupply += addedTokens;.

Issues for Crowdsale.sol

4. The price may change in the opposite direction.

Severity: low

Code snippet

function buyTokens(address _beneficiary) public payable {
    // ...
    tokensSold += tokens;
    // ...
}

Description

tokensSold variable overflow is possible. This will change the level of stage in the opposite direction. Accordingly, the price will change.

Recommendation

Use tokensSold = tokensSold.add(tokens); instead tokensSold += tokens;.

5. End of auction does not work.

Severity: low

Code snippet

function _preValidatePurchase(address _beneficiary, uint256 _weiAmount) internal {
    require(_beneficiary != address(0));
    require(_weiAmount >= minAmount);
    require(_weiAmount <= maxAmount);
}

Description

In endCrowdsale function stage level changes to StageLevel.END but this is not checked when buying a tokens. And the level will be changed again after the first purchase because _updateCrowdsaleStage function will be call.

Recommendation

Add require(stageLevel != StageLevel.END); condition in _preValidatePurchase function.

6. It is recommended to add condition to check an empty recipient address for transfer.

Severity: low

Code snippet

function endCrowdsale( address _returnAddress, uint256 _tokenAmount) public onlyOwner {
    stageLevel = StageLevel.END;
    _deliverTokens(_returnAddress, _tokenAmount);
}

Description

In some cases it is possible to send funds to an empty address.

Recommendation

Add require(_returnAddress != address(0)); condition in the begining of the function.

Conclusion

These contracts are not secure, it is necessary to fix the described vulnerabilities.