-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CALL token #289
Comments
@yuriy77k Could we get the in scop contracts for this audit, is all the contract auditable. |
@RideSolo assigned |
Auditing time 3 days |
@MrCrambo assigned |
@yuriy77k I will assume yes, since I didn't get an answer. |
@RideSolo you have to audit all .sol files in contact folder, except test folder and migration.sol |
My report is finished |
@yuriy77k If the archive or repository contains various files or some of the files should be excluded from the audit, then it should also be described. Please, let's keep it accurate and clear for everyone. |
@Dexaran got it |
Auditing time: 3 days. |
@danbogd assigned |
My report is finished |
Call Token Security Audit Report1. SummaryCall Token smart contract security audit report performed by Callisto Security Audit Department 2. In scopeFollowing files from https://gcalliance.io/wp-content/uploads/call-master-june19.zip
3. Findings8 issues were reported:
3.1. Naming ErrorSeverity: noteDescriptionERC664Balances.sol is based on ERC644 not ERC664 (erc664 does note exist in ethereum/EIPs#664), check here for further detail. 3.2. Default OperatorsSeverity: owner privilegeDescriptionDefault operators are allowed by default to manage ERC777 tokens holders fund, investors should be aware that their fund can be managed by addresses that are sent at contract creation by the contract owner. Please note that default operators are define by ERC777 following some specific recommendations. Code snippettoken/ERC777.sol:
3.3. ERC777 ComplianceSeverity: mediumDescriptiondefaults operators as defined in EIP777 must:
As described the defaults operators must be invariant, however "CStore" contract contain a function named Please note that CStore if further used in ERC777 implementation:
Code snippetCStore.sol:
3.4. ERC644 ComplianceSeverity: lowDescriptionThe original implementation of ERC644 (here) implement Please note that this issue is set as low since the concerned function are disabled later on before inherited by CALL.sol, but this issue should be noted to avoid future breach of operability. Code snippetmisc/ERC664Balances.sol:
3.5. Total Access to Token Holders fundsSeverity: owner privilegesDescriptionAs it can be seen in the constructor of CALL token, the owner of
The owner does not need access to all these functions, since as decribed in "ERC777 Compliance" issue the default operators must not be changed, and all other functions should be only managed by the investors not by the owner. The above mentioned function give full access to the owner to manage the tokens holders fund without any permission from them. Investors should be aware that they are not 100% in control of their assets. RecommendationThis issue can be avoided by just removing "balancesDB.transferOwnership(_initialOwner);" line from CALL.sol contructor. Code snippetCALL.sol:
CStore.sol:
ERC664Balances.sol:
3.6. Total Access to Token Holders fundsSeverity: owner privilegesDescriptionThe owner allow himself to change Code snippetCALL.sol:
3.7. Known vulnerabilities of ERC-20 tokenSeverity: lowDescriptionPlease note that ERC777ERC20Compat.sol readapt ERC777 and ERC644 functions to ERC20, making the token vulnerable to the following known issue. also please note that ERC777 by itself does not completely solve the following descriptions.
3.8. Ability to disable/enable ERC20TokenSeverity: owner privilegesDescriptionOwner can disable/enable all ERC20 functions (transfer, trnsferFrom, approve). Code snippetCALL.sol, line 40, 49.: /**
* @notice Disables the ERC20 interface. This function can only be called
* by the owner.
*/
function disableERC20() public onlyOwner {
mErc20compatible = false;
setInterfaceImplementation("ERC20Token", address(0));
}
/**
* @notice Re enables the ERC20 interface. This function can only be called
* by the owner.
*/ 4. ConclusionThe Highlighted issues should be fixed before deployment. 5. Revealing audit reportshttps://gist.github.com/yuriy77k/4fb0bde46c348981e1ec690be43af3f6 https://gist.github.com/yuriy77k/37713f0303f150687ed8999aeb6ebabf https://gist.github.com/yuriy77k/0f11112f230ac4b727f11ae09751062f |
Thank you very much for the report Callisto Security. We're reviewing all highlighted issues. |
Audit request
ERC777 with a multi send addition and ERC20 compatibility. The database contract does not implement an approved ERC.
In scope
All
.sol
files in:call-master/contracts/
(ExceptMigrations.sol
)call-master/contracts/interfaces
call-master/contracts/misc
call-master/contracts/token
Source code
https://gcalliance.io/wp-content/uploads/call-master-june19.zip
Disclosure policy
ppanos@protonmail.com, opeculiar@protonmail.com
Platform
Ethereum
Number of lines:
624
The text was updated successfully, but these errors were encountered: