Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ONEX Network #129

Closed
HighlanderNetwork opened this issue Dec 21, 2018 · 7 comments

Comments

Projects
None yet
5 participants
@HighlanderNetwork
Copy link

commented Dec 21, 2018

Audit request

ERC223 implementation, Proof-of-Stake Token on Ethereum Classic Network. This is an alternative method to the more widely known process used by bitcoin; Proof of Work (POW).

Address: 0x085b0fdf115aa9e16ae1bddd396ce1f993c52220
Website: https://onex.network

Source code

https://github.com/HighlanderNetwork/ONEX-Network/tree/master/contracts

Disclosure policy

Publish the report
Also please send report to: highlandernetwork@protonmail.com

Platform

Ethereum Classic (ETC)

Complexity

Low

@RideSolo

This comment has been minimized.

Copy link

commented Dec 21, 2018

Auditing time: 1 day

@yuriy77k

This comment has been minimized.

Copy link
Member

commented Dec 21, 2018

@RideSolo assigned.

@pro100skm

This comment has been minimized.

Copy link

commented Dec 23, 2018

Auditing time: 1 day

@yuriy77k

This comment has been minimized.

Copy link
Member

commented Dec 24, 2018

@pro100skm assigned.

@MrCrambo

This comment has been minimized.

Copy link

commented Dec 25, 2018

Auditing time 1 day.

@yuriy77k

This comment has been minimized.

Copy link
Member

commented Dec 25, 2018

@MrCrambo assigned

@yuriy77k

This comment has been minimized.

Copy link
Member

commented Dec 28, 2018

1. Summary

ONEX smart contract security audit report performed by Callisto Security Audit Department

ERC223 implementation, Proof-of-Stake Token on Ethereum Classic Network. This is an alternative method to the more widely known process used by bitcoin; Proof of Work (POW).

2. In scope

  • ONEX.sol github commit hash 63b02beee3da39cea86c84703047b5d757e2f756.

3. Findings

In total, 4 issues were reported including:

  • 3 medium severity issues.

  • 1 low severity issues.

3.1. Block Gas Limit Error

Severity: medium

Description

When executing mint function, getCoinAge function get called to return the coin*dayholding of a user, transaction execution can throw for block gas limit reached.
If a user receives many transaction, after a certain number the block gas limit can be reached when calling getCoinAge. therefore the users will not be able to receive his reward.
The for loop uses iterate over transferIns which is causing this issue.

Code snippet

https://github.com/RideSolo/ONEX-Network/blob/master/contracts/ONEX.sol#L241#L252

3.2. Staker Reward

Severity: medium

Description

If a token transfer occurs and a staker didn't claim his reward by calling transfer function using to address equal to his own, the deposit history transferIns will be deleted.

Following onex description "ONEX provides two methods to trigger ONEX staking: 1.Sending a transaction to your own address with any amount of ONEX. 2.Using MyEtherWallet.com or Mist or any other software that can interact with contracts to execute mint() function.", contract developers should inform the stakers that if they transfer tokens after the minimum staking period without claiming their stake will result in the loss of their reward.

Implementing a simple mechanism that allows the addition of the reward to the stakers account if they meet the requirement when transfering tokens to another address can be implemented easily.

Code snippet

https://github.com/RideSolo/ONEX-Network/blob/master/contracts/ONEX.sol#L150

https://github.com/RideSolo/ONEX-Network/blob/master/contracts/ONEX.sol#L169

3.3. Token Transfer to Address 0x0

Severity: low

Description

Onex Token do not require the to address to be non null before transfer. Accidental token loss to address 0x0 can be applicable.

Code snippet

https://github.com/RideSolo/ONEX-Network/blob/master/contracts/ONEX.sol#L144

3.4. Wrong interest calculation

Severity: medium

Description

In function getProofOfStakeReward there is wrong interest calculation for first two years, because maxMintProofOfStake is default 10% annual interest as written in line 80 and interest for first year should be 100% that means 10 times more than maxMintProofOfStake, but it calculates as interest = (770 * maxMintProofOfStake).div(100); that means it's less than 100%. Similar situation with calculations for second year.

4. Conclusion

The smart contract has medium severity issues, which should be fixed.

5. Revealing audit reports

https://gist.github.com/yuriy77k/39dd2472966f8960ab8701ca0a397844

https://gist.github.com/yuriy77k/76feec3f37615b7bdd815cbc44c31450

https://gist.github.com/yuriy77k/98ce881c46f38cf9a34bf6e9236eb14c

@yuriy77k yuriy77k closed this Dec 28, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.