yuriy77k/ERC20andCrowdsale_conclusion.md

Last active August 13, 2018 11:12

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/yuriy77k/f801a55ebb1f450bc1ad14cd6feca0a5.js"></script>
Save yuriy77k/f801a55ebb1f450bc1ad14cd6feca0a5 to your computer and use it in GitHub Desktop.

Download ZIP

ERC20andCrowdsale conclusion

Raw

ERC20andCrowdsale_conclusion.md

ERC20andCrowdsale security audit report performed by Callisto Security Audit Department

Conclusion:

No critical issue, bug fixing is necessary. It is highly recommended to complete a bug bounty before use.

Medium severity issues:

User can send tokens to Address 0x0 by mistake and lose it.
An attack to Approve/TransferFrom Methods may be performed.

Revealing audit reports:

https://gist.github.com/yuriy77k/361d9fb7a15964108df074693c1111cd

https://gist.github.com/yuriy77k/aac699435f6001de1c7f8cac36886f1e

https://gist.github.com/yuriy77k/4b70f783eb5342f03560fb84055a34ce

https://gist.github.com/yuriy77k/b65fcc7d8453c5162cda871bb5c40565

@RideSolo

Notes regarding the https://gist.github.com/RideSolo/14ad397f41209193024772ba63850fe2 report.

The risk for users to lose tokens when sending to the wrong address is a common problem for ERC20, it does not matter which address they send it to (address(0) or to any other wrong address).

Severity: medium

@gorbunovperm

Notes regarding the https://gist.github.com/gorbunovperm/c90e99f0322327cb3aa5b78efa9a8f4d report.

Sending tokens to empty address hes a medium severity.
An attack to Approve/TransferFrom Methods is a common problem for ERC20 API and can be exploited in some specific circumstances, so it has a medium severity.
StageLevel is not checked at all. So it does not matter what value it has. Main purpose of endCrowdsale() is to send remaining tokens to whomever he wants.

@alexo18

Notes regarding the https://gist.github.com/alexo18/e5558d8e863de0a139455000f86352fa report.

A modifier is not needed because used SafeMath. Not a security issue.
Permanent wallet has low severity.
StageLevel is not checked at all. So it does not matter what value it has. Main purpose of endCrowdsale() is to send remaining tokens to whomever he wants.

@MrCrambo

Notes regarding the https://gist.github.com/MrCrambo/7a494e4f755ac3e6e496d05b2fd89990 report.

Sending tokens to empty address has a medium severity.
Integer overflow possible only theoretically. Practically there are not enough ETH mined to make this attack, and even it will be enough - this attack will not give any profit to attacker. Severity is low.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment