This audit report was undertaken by BlockchainLabs.nz for the purpose of providing feedback to Etheal. It has subsequently been shared publicly without any express or implied warranty.
Solidity contracts were sourced from the public Github repo thesved/etheal-sale prior to commit 908389dd18cf892aaff28c19536459dcc434571b - we would encourage all community members and token holders to make their own assessment of the contracts.
All Solidity code contained in /contracts was considered in scope along with the tests contained in /test as a basis for static and dynamic analysis.
The audit report is focused on the following key areas - though this is not an exhaustive list.
- No correctness defects uncovered during static analysis?
- No implemented contract violations uncovered during execution?
- No other generic incorrect behaviour detected during execution?
- Adherence to adopted standards such as ERC20?
- Test coverage across all functions and events?
- Test cases for both expected behaviour and failure modes?
- Settings for easy testing of a range of parameters?
- No reliance on nested callback functions or console logs?
- Avoidance of test scenarios calling other test scenarios?
- No presence of known security weaknesses?
- No funds at risk of malicious attempts to withdraw/transfer?
- No funds at risk of control fraud?
- Prevention of Integer Overflow or Underflow?
- Explicit labeling for the visibility of functions and state variables?
- Proper management of gas limits and nested execution?
- Latest version of the Solidity compiler?
- Minor - A defect that does not have a material impact on the contract execution and is likely to be subjective.
- Moderate - A defect that could impact the desired outcome of the contract execution in a specific scenario.
- Major - A defect that impacts the desired outcome of the contract execution or introduces a weakness that may be exploited.
- Critical - A defect that presents a significant security vulnerability or failure of the contract across a range of scenarios.
- The constant keyword is being used in functions, this will be deprecated at the next breaking release -
Best practice
constant
should not be used for functions, it is going to be invalid at the next breaking release of solidity. Refer to solidity/issues/192. Some functions have already been changed toview
orpure
but this is not consistent. View on GitHub- Fixed 641e021a
- Keep formatting of if statements consistent -
Best practice
We would recommend avoiding single lineif
statements without using braces, this pattern is prone for introducing bugs. Eg.EthealPreSale.sol
Line 420 Line 142 Line 177 Line 420 ... View on GitHub- Fixed 22f606f6
- Expected ' { ' after for statement -
Correctness
View on GitHub- Fixed 908389dd
- '_balance' is declared but never used -
Correctness
Line 181 declares '_balance' but it is an unused variable This line can be removed asfunction getHealBalance()
achieves the same logic View on GitHub- Fixed 66f0f65a
- Throw is deprecated, in favour of revert, require and assert -
Best practice
View on GitHub- Fixed cd00135b
- None found
- None found
We have reviewed this document to ensure that there are no ommisions and that the developers' comments are a fair summary of each function.
The following contracts have 100% coverage:
- TokenVesting.sol
- TokenController.sol
- EthealToken.sol
- ERC20MiniMe.sol
- ERC20.sol
The following contracts are above 80% coverage:
- Crowdsale.sol
The
transferToken
function is missing a test but the overriden version is tested inethealNormalSale
andethealPreSale
contracts - SafeMath.sol This contract is identical to the OpenZeppelin library so it is generally considered well tested
- Ownable.sol There is no test to make sure ownership cannot be transferred if the new owners address is 0x0
- EthealNormalSale.sol
There is no test for
getContributors
, and there are some fail cases that are not tested - EthealController.sol Some of the fail cases are not tested
- RefundVault.sol The fail cases are not tested
The following contracts are above 60% coverage:
- HasNoTokens.sol Extracting ether is not tested, only token retrieval
- Pausable.sol
unpause
is tested, butpause
and it's associated modifiers are not tested - Controlled.sol
The
onlyController
modifier is not tested - Hodler.sol
Some fail cases are not tested,
setHodlerStake
function is not tested - RefundableCrowdsale.sol
The overriden version is tested in
ethealPreSale
, so this contract is fully tested - EthealPreSale.sol
Some fail cases are not tested,
getContributors
is not tested - FinalizableCrowdsale.sol
The fail case for
finalize
is not tested
The remaining contracts have less than 60% coverage:
- CappedCrowdsale.sol
The
BuyTokens
function is tested in the overriden version inethealNormalSale.sol
andethealPreSale.sol
- MiniMeToken.sol This is a copy of giveth minime, so it can be considered tested
- Wallet.sol This is a copy of consensys multisig, so it can be considered tested
Upon finalization of the contracts to be used by Etheal, the contracts were assessed on the gas usage of each function to ensure there aren't any unforeseen issues with exceeding the block size GasLimit. A detailed report can be found in Gas_Consumption.md.
Overall we have been fully satisfied with the resulting contracts following the audit feedback period. We took part in carefully reviewing all source code provided, including both static and dynamic testing methodology.
The developers have followed common best practices and demonstrated an awareness for attention to detail. We were pleased to see contracts in a modular format to avoid confusion and improve operability for all parties.