-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xEUR tokens (reaudit) #231
Comments
Auditing time: 2 days. |
1 similar comment
Auditing time: 2 days. |
Auditing time 2 days |
My report is finished. |
@MrCrambo assigned |
xEuro Token v2. Security Audit Report1. SummaryxEuro Token v2. contract security audit report performed by Callisto Security Audit Department 2. In scope3. FindingsIn total, 6 issues were reported including:
No critical security issues were found. 3.1. Missing EventsSeverity: lowDescriptionTransfer event should be emitted when Code Snippet3.2. Zero addressSeverity: lowDescriptionIn function Code snippetRecommendationAdd zero address checking. require(_newAddress != address(0)); 3.3. Token Uses No DecimalsSeverity: noteDescriptionWhile the specification defined the number of token decimals to be 18, no decimals were found to be used. This can cause problems when interacting with other smart contracts as tokens with 0 decimals can cause rounding errors. For example, many exchanges charge a small fee based on the tokens exchanged. As such, using no decimals will either make it impossible to list the token on these exchanges or it will result in having expensive fees compared to other tokens. Code snippet3.4 Administrators Addresses ManagementSeverity: owner privilegesDescriptionAny admin address added through Code snippetLine: 391https://gist.github.com/RideSolo/cd69639424c60572fe5e0f3cb3596418#file-xeuro-sol-L391) 3.5. Tokens Buy BackSeverity: owner privilegesDescriptionToken that are sent back to the contract address are logged and an event is emitted to the UI to process the exchange from tokens to fiat offchain, if the payment does not succeed the tokens should be at least sent back to the user however no function is intended to reimburse the users (fiat payment may not succeed for different reasons), only the success case is treated since the tokens can be burned later on using Code snippet3.6. Token Minting and TransferSeverity: owner privilegesDescriptionTo mint token using Only specific addresses allowed through
Code snippetRecommendationAs soon as 4. ConclusionThe audited smart contract can be deployed. Only low severity issues were found during the audit. 5. Revealing audit reportshttps://gist.github.com/yuriy77k/ce9e496aa70d315b58cf6d8baf68b959 https://gist.github.com/yuriy77k/bf72550d006394a82649da8509d77dfe https://gist.github.com/yuriy77k/34a16d2e48bcba58c8a9ef3aefade126 |
Thank you! |
Audit request
xEUR is a stable token (ERC-20) than can be exchanged to fiat EUR and vice versa.
See description on https://xeuro.online and FAQ on https://xeuro.online/#!/faq
Previous audit report: #218
Changes according to previous audit recommendations:
3.1. Known vulnerabilities of ERC-20 token, description 1. Double withdrawal attack: Fixed. Overloaded 'approve' function as described on https://docs.google.com/document/d/1YLPtQxZu1UAvO9cZ1O2RPXBbT0mooh4DYKjA_jp-RLM/ was implemented.
3.1. Known vulnerabilities of ERC-20 token, description 2. Lack of transaction handling mechanism issue : Fixed. 'transferAndCall' function implemented as recommended method to send tokens to other smart contract
3.1. Known vulnerabilities of ERC-20 token, recommendation:
recommendation
can not be implemented, as our smart contract allows sending tokens to smart contract address to exchange tokens to fiat
3.2. Tokens can be burned multiple times on the same Id: Fixed.
3.3. ERC20 Compliance — event missing:
Audit recommendations do not conform to contract logic
'mintTokens' and 'burnTokens' functions should NOT emit the 'Transfer' event, we have special events for them ('TokensMinted' and 'TokensBurned'), but there is always 'Transfer' event after tokens were minted and before they were burned, as we mint and burn tokens only on contract address, so they have to be transferred to user after minting and transferred from user before burning.
3.4. ERC20 Compliance — method missing: Fixed. 'approve' function was added
3.5 Malicious monarchy admin: Fixed. Now admin real identity have to be verified via Cryptonomica.net and is public. Only address with a valid verification in Cryptonomica.net smart contract can be added as admin, this 1) should prevent adding an erroneous address as admin and 2) makes possible the personal responsibility of the admin for his actions, since the admin becomes a publicly known person.
3.6. Token Uses No Decimals:
We use:
This was done deliberately so.
3.7. Token Transfer to 0x0 address: Fixed
3.8. It is necessary to check the input address to the zero-address: Fixed
Other changes:
Source code
https://etherscan.io/address/0xe577e0b200d00ebdecbfc1cd3f7e8e04c70476be#code
Disclosure policy
We'd like to publish the report.
Platform
Ethereum
Number of lines:
292 * 0.5 (reaudit) = 146
The text was updated successfully, but these errors were encountered: