Find file History
Pull request Compare This branch is 19 commits ahead of svandisproject:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
code-review
test
README.md

README.md

Svandis Crowdsale Contract Audit

Summary

Svandis intends to run a crowdsale in the near future.

Bok Consulting Pty Ltd was commissioned to perform an audit on the Ethereum crowdsale smart contracts for Svandis.

This audit has been conducted on Svandis' source code in commits 88b8ac4, 62d4b53, de9ebb3, 2a33eab, 2be689b, e40b125 and 9146747.

No potential vulnerabilities have been identified in the crowdsale/token contract.



Table Of Contents



Note

Note that for addMultipleToWhitelist(...) and addMultipleToCompanyWhitelist(...), the check against balances[this] is not effective against the sum of all _quantities. So just be careful in your whitelisting and spreadsheet calculations.



Recommendations

  • MEDIUM IMPORTANCE For whitelisting, use a separate whitelist data structure instead of reusing the allowed data structure
  • MEDIUM IMPORTANCE Use the SafeMath library to prevent overflow and underflows. Sample code in FixedSupplyToken.sol
  • LOW IMPORTANCE In Svandis uint256 constant public decimals = 18; should be of type uint8
  • LOW IMPORTANCE In Sale, uint256 public preSaleRate; is unused
  • LOW IMPORTANCE In Sale.buyTokens(), uint256 quantity = (msg.value * tierToRates[currentTier]).div(1 ether); should use SafeMath
  • LOW IMPORTANCE In EIP20Interface, pragma solidity ^0.4.19; while the other 2 files specify pragma solidity ^0.4.21;
  • LOW IMPORTANCE In Svandis, uint256 constant public totalSupply = 400000000000000000000000000; better expressed as uint256 constant public totalSupply = 400000000 * 10**uint256(decimals) and swap the line position with uint8 constant public decimals = 18;
  • LOW IMPORTANCE In Svandis, there should be some consistency with keywords, and their order
    • uint256 constant private MAX_UINT256 = 2**256 - 1; should be rearranged to be private constant
    • uint256 constant public totalSupply ... should be rearranged to be public constant
    • uint8 constant public decimals = 18; should be rearranged to be public constant
    • string public name = 'Svandis'; can be made public constant
    • string public symbol = 'SVN'; can be made public constant
  • LOW IMPORTANCE In Svandis, reorder the constant and variable declarations to be symbol, name, decimals, blank line, version, blank line, totalSupply, blank line, MAX_UINT256, blank line, balances, allowed.
  • LOW IMPORTANCE Sale.sol will not compile with Solc pragma solidity ^0.4.21 as the constructor() keyword is not recognised in this compiler version. Consider changing the minimum compiler version to ^0.4.23 in all the source files
  • LOW IMPORTANCE Consider making Sale.owner, Sale.withdrawWallet and Sale.enableSale public as it helps with testing and debugging
  • LOW IMPORTANCE The statement require(_from != address(this)); can be removed from Svandis.transferFrom(...)
  • LOW IMPORTANCE Move *.sol into a contracts subdirectory


Potential Vulnerabilities

No potential vulnerabilities have been identified in the crowdsale/token contract.



Scope

This audit is into the technical aspects of the crowdsale contracts. The primary aim of this audit is to ensure that funds contributed to these contracts are not easily attacked or stolen by third parties. The secondary aim of this audit is to ensure the coded algorithms work as expected. This audit does not guarantee that that the code is bugfree, but intends to highlight any areas of weaknesses.



Limitations

This audit makes no statements or warranties about the viability of the Svandis' business proposition, the individuals involved in this business or the regulatory regime for the business model.



Due Diligence

As always, potential participants in any crowdsale are encouraged to perform their due diligence on the business proposition before funding any crowdsales.

Potential participants are also encouraged to only send their funds to the official crowdsale Ethereum address, published on the crowdsale beneficiary's official communication channel.

Scammers have been publishing phishing address in the forums, twitter and other communication channels, and some go as far as duplicating crowdsale websites. Potential participants should NOT just click on any links received through these messages. Scammers have also hacked the crowdsale website to replace the crowdsale contract address with their scam address.

Potential participants should also confirm that the verified source code on EtherScan.io for the published crowdsale address matches the audited source code, and that the deployment parameters are correctly set, including the constant parameters.



Risks

  • There are several configuration parameters in the smart contracts (withdrawWallet and tierToRates) that need to be set correctly for the sale to operate as expected. These will need to be checked carefully after deployment to ensure that the sale runs smoothly.
    • After deploying the contracts to mainnet and configuring the parameters, I would recommend whitelisting a test account, sending a small amount (e.g. 0.01 ETH) and checking the tokens transferred and that the ETH ends up in the correct withdrawWallet.
  • Ethers contributed to the crowdsale/token contract are transferred directly to the crowdsale wallet, and tokens are transferred from the crowdsale/token contract to the contributing account. This reduces the severity of any attacks on the crowdsale/token contract.


Testing

Details of the testing environment can be found in test.

The following functions were tested using the script test/01_test1.sh with the summary results saved in test/test1results.txt and the detailed output saved in test/test1output.txt:

  • Deploy crowdsale/token contracts
  • Set withdraw wallet
  • Whitelist addresses
  • Set rates for tiers
  • Contribute at PreSale rates
  • Switch to Tier 1
  • Contribute at Tier 1
  • Switch to Tier 2
  • Transfer company tokens
  • transfer(...), approve(...) and transferFrom(...) tokens
  • transfer(...), approve(...) and transferFrom(...) 0 tokens
  • transfer(...), approve(...) and transferFrom(...) too many tokens


Code Review


Excluded - Only Used For Testing



(c) BokkyPooBah / Bok Consulting Pty Ltd for Svandis - Jul 31 2018. The MIT Licence.