Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ERC20 and Crowdsale #4

Closed
yuriy77k opened this issue Jun 28, 2018 · 15 comments

Comments

@yuriy77k
Copy link
Member

@yuriy77k yuriy77k commented Jun 28, 2018

Audit request

ERC20andCrowdsale alow to create ERC20 token and sale it at five stages with a different rate of exchange at each stage.

Source code

https://github.com/SamueleA/ERC20andCrowdsale

Disclosure policy

Publish everything.

Platform

ETC / ETH

@MrCrambo

This comment has been minimized.

Copy link

@MrCrambo MrCrambo commented Jun 28, 2018

Auditing time: 7 days

@yuriy77k

This comment has been minimized.

Copy link
Member Author

@yuriy77k yuriy77k commented Jun 28, 2018

@MrCrambo assigned.

@RideSolo

This comment has been minimized.

Copy link

@RideSolo RideSolo commented Jun 28, 2018

Auditing time: 4 days

@yuriy77k

This comment has been minimized.

Copy link
Member Author

@yuriy77k yuriy77k commented Jun 28, 2018

@RideSolo assigned.

@gorbunovperm

This comment has been minimized.

Copy link

@gorbunovperm gorbunovperm commented Jun 28, 2018

@yuriy77k Is this request approved? The corresponding label is missing.

@yuriy77k

This comment has been minimized.

Copy link
Member Author

@yuriy77k yuriy77k commented Jun 29, 2018

@gorbunovperm yes, it's approved.

@gorbunovperm

This comment has been minimized.

Copy link

@gorbunovperm gorbunovperm commented Jun 29, 2018

Estimated auditing time is 7 days.

@yuriy77k

This comment has been minimized.

Copy link
Member Author

@yuriy77k yuriy77k commented Jun 30, 2018

@gorbunovperm assigned.

@MrCrambo

This comment has been minimized.

Copy link

@MrCrambo MrCrambo commented Jul 1, 2018

@yuriy77k report done.

@alexo18

This comment has been minimized.

Copy link

@alexo18 alexo18 commented Jul 2, 2018

Auditing time: 5 days

@yuriy77k

This comment has been minimized.

Copy link
Member Author

@yuriy77k yuriy77k commented Jul 3, 2018

@MrCrambo assigned.

@yuriy77k

This comment has been minimized.

Copy link
Member Author

@yuriy77k yuriy77k commented Jul 3, 2018

@ alexo18 assigned.

@yuriy77k yuriy77k added approved solidity and removed approved labels Jul 5, 2018
@Dexaran

This comment has been minimized.

Copy link
Member

@Dexaran Dexaran commented Jul 10, 2018

Are the reports finished?
If yes, then @yuriy77k should publish reports and submit a conclusion.

@yuriy77k

This comment has been minimized.

Copy link
Member Author

@yuriy77k yuriy77k commented Jul 10, 2018

@Dexaran i'll wait for last raport to make conclusion.

@yuriy77k

This comment has been minimized.

Copy link
Member Author

@yuriy77k yuriy77k commented Jul 14, 2018

ERC20andCrowdsale smart contract security audit conclusion: no critical issue, bug fixing is necessary.

Medium severity issues:

Revealing audit reports:

https://gist.github.com/yuriy77k/361d9fb7a15964108df074693c1111cd
https://gist.github.com/yuriy77k/aac699435f6001de1c7f8cac36886f1e
https://gist.github.com/yuriy77k/4b70f783eb5342f03560fb84055a34ce
https://gist.github.com/yuriy77k/b65fcc7d8453c5162cda871bb5c40565

@RideSolo

Notes regarding the https://gist.github.com/RideSolo/14ad397f41209193024772ba63850fe2 report.

  • The risk for users to lose tokens when sending to the wrong address is a common problem for ERC20, it does not matter which address they send it to (address(0) or to any other wrong address).

Severity: medium

@gorbunovperm

Notes regarding the https://gist.github.com/gorbunovperm/c90e99f0322327cb3aa5b78efa9a8f4d report.

  • Sending tokens to empty address hes a medium severity.

  • An attack to Approve/TransferFrom Methods is a common problem for ERC20 API and can be exploited in some specific circumstances, so it has a medium severity.

  • StageLevel is not checked at all. So it does not matter what value it has. Main purpose of endCrowdsale() is to send remaining tokens to whomever he wants.

@alexo18

Notes regarding the https://gist.github.com/alexo18/e5558d8e863de0a139455000f86352fa report.

  • A modifier is not needed because used SafeMath. Not a security issue.

  • Permanent wallet has low severity.

  • StageLevel is not checked at all. So it does not matter what value it has. Main purpose of endCrowdsale() is to send remaining tokens to whomever he wants.

@MrCrambo

Notes regarding the https://gist.github.com/MrCrambo/7a494e4f755ac3e6e496d05b2fd89990 report.

  • Sending tokens to empty address has a medium severity.

  • Integer overflow possible only theoretically. Practically there are not enough ETH mined to make this attack, and even it will be enough - this attack will not give any profit to attacker. Severity is low.

@yuriy77k yuriy77k assigned yuriy77k and unassigned yuriy77k Jul 15, 2018
@yuriy77k yuriy77k closed this Jul 16, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.