-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bills of exchange factory #261
Comments
Auditing time: 3 days. |
@danbogd assigned |
Auditing time 2 days |
Estimated audit time 3 days. |
@codeblcks assigned. |
@MrCrambo assigned |
Ok. Noted. |
Estimated auditing time is 4 days. |
@gorbunovperm assigned |
My report is finished. |
1 similar comment
My report is finished. |
My audit report is ready. |
@codeblcks where is your audit report? Please, send it to yuri@callisto.network |
I didn't have your email id. I have shared the audit report. Please check. |
Bills of exchange factory Security Audit Report1. SummaryBills of exchange factory smart contract security audit report performed by Callisto Security Audit Department
https://cryptonomica.net/bills-of-exchange/ 2. In scope3. FindingsIn total, 9 issues were reported including:
No critical security issues were found. 3.1. Token Uses No DecimalsSeverity: noteDescriptionWhile the specification defined the number of token decimals to be 18, no decimals were found to be used. This can cause problems when interacting with other smart contracts as tokens with 0 decimals can cause rounding errors. For example, many exchanges charge a small fee based on the tokens exchanged. As such, using no decimals will either make it impossible to list the token on these exchanges or it will result in having expensive fees compared to other tokens. Code snippetLine 153. 3.2. ERC223 ComplianceSeverity: mediumDescriptionThe reviewed token contract is not ERC223 fully compliant.
3.3. Known vulnerabilities of ERC-20 tokenSeverity: lowDescription
RecommendationAdd into a function require( _to != address(this) );
3.4. No checking for zero addressSeverity: lowDescriptionIn this functions there are no checking for zero address.
3.5. Missing event call.Severity: lowDescriptionAccording to ERC20 standard, when initializing a token contract if any token value is set to any given address a transfer event should be emitted. Code snippetLine 200. 3.6. Owner PrivilegesSeverity: owner previligesDescriptionContract owner allow himself to:
4. ConclusionThe audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract. 5. Revealing audit reportshttps://gist.github.com/yuriy77k/26e2ee2e96ecb93091c5efbc2bddc7a4 https://gist.github.com/yuriy77k/adbf6e55c290b1382bf9c9dfea2c9ad2 https://gist.github.com/yuriy77k/135a6003cd890ee02a3edd90e566388a https://gist.github.com/yuriy77k/fa0bcf86093ada4e7ba06e9bedb1bd81 |
Remarks
ERC-20 standard does not require of token decimals to be 18.
This is not true. See the code:
'transfer(_to, _value)' called before '.tokenFallback' and it does add the token value to the balance before making the external call.
But this in no way means that our contract can not or should not implement 'approve' as required by ERC-20 or 'transferFrom' as described in ERC-677
As described in comments in code, we are aware of the imperfection of the ERC-20 standard. But we want our tokens to be ERC-20 compliant, so we keep legacy 'transfer' and 'approve' functions.
'initToken at line 187' -- can be called by factory contract only, one time. No possibility to have zero address here. 'changeCryptonomicaVerificationContractAddress at line 430' -- Can be called by admin only. If admin will set wrong address (any wrong address), the factory contract will stop working (not affecting already deployed bills of exchange contracts). But admin can easily change it to correct address. So we do not consider this an issue. 'signDisputeResolutionAgreementFor at line 737' -- entered address must be previously verified via cryptonomica.net smart contract, so there is no possibility it can be zero. 'initBillsOfExchange at line 786' - like 'initToken at line 187' can be called by factory contract only, one time only. No possibility to have zero address here. 'setLegal at line 851' - can be called by factory contract only, one time only. No possibility to have zero address here. 'createBillsOfExchange at line 981' - there is no argument of 'address' type in this function So none of this cases really needs checking for zero address.
Will be changed in production by adding the following line: emit Transfer(address(0), tokenOwner, totalSupply); to 'initToken' function
This is not true. Admin can change identity verification contract address used by factory. And it does not affect bills of exchange contracts already deployed via factory. And identity verification contract provides only information if identity of an Ethereum address was verified and this verification still valid and not revoked. Nothing like "implement any logic in the new contract"
Yes, admin can manage price for the service and address to withdraw funds. No issue there.
Any admin must be a person with valid identity verification (in implemented in the contract). It adds personal responsibility for admin actions. So as you can see admins can change parameters of the factory contract providing service to users, such as price, identity verification contract address etc., and this was made intentionally. But admins have absolutely no control over smart contracts created by users using factory smart contracts. Please, adjust audit conclusions/findings accordingly. |
Audit request
'Bills Of Exchange Factory' is a smart contracts based service that allows user to draw electronic bills or exchange.
'Bills Of Exchange Factory' creates new smart contracts for every new issue of bills.
Bills of exchange are created as tokens in separate smart contracts (separate smart contract for each new issue of bills). Every token (ERC20) is a bill of exchange in blank - payable to bearer (bearer is the owner of the Ethereum address witch holds the tokens, or the person he/she represents), but not to order - that means no endorsement is possible and the token holder can only transfer the token (bill of exchange in blank) itself.
Thus, all token bills in one smart contract have the same conditions (date of issue, drawer, drawee, amount, term, and so on). In one smart contract can exist one or many tokens (bills).
Tokens can be burned. For example, after making a payment on bills, the payer can "burn" these bills.
Every new created smart contract with bills of exchange get its number, and 'Bills Of Exchange Factory' smart contract maintains a ledger with numbers and addresses of smart contracts created via factory.
There is a web interface for smart contract (for now works on Ropsten only):
https://cryptonomica.net/bills-of-exchange/ , where you can find a more detailed description of the service and test smart contract with mock up data.
Source code
https://ropsten.etherscan.io/address/0x74eB4DBD3124D41B6775701FD1821571EAd5cf9A#code
Disclosure policy
We'd like to publish the report.
Platform
Ethereum
Number of lines:
445
The text was updated successfully, but these errors were encountered: