Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ExploreCoin #236

Closed
yuriy77k opened this issue May 3, 2019 · 8 comments

Comments

Projects
None yet
5 participants
@yuriy77k
Copy link
Member

commented May 3, 2019

Audit request

ExploreCoin (EPL) is an ERC 20 token, smart contract recently deployed.

https://www.explorecoin.io/

Source code

https://etherscan.io/address/0x2802faad8a0f9595c1660c436c7e51d9ce97b1e9#code

Disclosure policy

admin@explorecoin.io

Platform

ETH

Number of lines:

128

@RideSolo

This comment has been minimized.

Copy link

commented May 3, 2019

Auditing time: 1 day.

@yuriy77k

This comment has been minimized.

Copy link
Member Author

commented May 3, 2019

@RideSolo assigned

@MrCrambo

This comment has been minimized.

Copy link

commented May 4, 2019

Auditing time 1 day

@gorbunovperm

This comment has been minimized.

Copy link

commented May 4, 2019

Estimated auditing time is 1 day.

@gorbunovperm

This comment has been minimized.

Copy link

commented May 4, 2019

My report is finished.

@yuriy77k

This comment has been minimized.

Copy link
Member Author

commented May 4, 2019

@yuriy77k

This comment has been minimized.

Copy link
Member Author

commented May 5, 2019

ExploreCoin Security Audit Report

1. Summary

ExploreCoin smart contract security audit report performed by Callisto Security Audit Department

2. In scope

3. Findings

In total, 4 issues were reported including:

  • 3 low severity issues.

  • 1 notes.

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Decrease Allowance

Severity: low

Description

decreaseAllowance throw in case if the value to be substracted is higher than the amount that is allowed, if the address owner wants to change the value allowed by reducing it and the spender withdraw a part of it before, the function might throw and give more chances for the spender to take the rest of the allowed value.

The value should be set to zero if the value to be subtracted is higher than the allowance.

Code snippet

line 211

3.3. Zero address checking required

Severity: low

Description

In constructor at line 306 there have to be zero address checking for feeReceiver and tokenOwnerAddress.

Code snippet

line 306

3.4. EPL Token is not Burnable

Severity: note

Description

Functions _burn and _burnFrom are internal and unused.

Code snippet

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/18e58f1d87b9cf05db92b89b7512b87f

https://gist.github.com/yuriy77k/0e650f3827e33abcd9f45a68e71f03e4

https://gist.github.com/yuriy77k/13fb50504be43071bd55615ee38be669

@yuriy77k yuriy77k closed this May 5, 2019

@Explorecoin

This comment has been minimized.

Copy link

commented May 7, 2019

Thanks a lot for the audit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.