Skip to content

Commit

Permalink
Audit completed
Browse files Browse the repository at this point in the history
  • Loading branch information
bokkypoobah committed Nov 15, 2017
1 parent 99f5ce2 commit 7c7d170
Show file tree
Hide file tree
Showing 8 changed files with 1,676 additions and 3 deletions.
157 changes: 154 additions & 3 deletions audit/README.md
Original file line number Diff line number Diff line change
@@ -1,23 +1,135 @@
# Oracles Network Presale Contract Audit

Status: Work in progress

## Summary

Commits [5bc4391](https://github.com/oraclesorg/oracles-presale/commit/5bc439115ecebb0a52cfe9305f00f89756c5a90a).
[Oracles Network](https://oracles.org/) intends to run a presale commencing in Nov 2017.

Bok Consulting Pty Ltd was commissioned to perform an audit on the Oracles Network's presale Ethereum smart contract.

This audit has been conducted on Oracles Network's source code in commit
[5bc4391](https://github.com/oraclesorg/oracles-presale/commit/5bc439115ecebb0a52cfe9305f00f89756c5a90a).

No potential vulnerabilities have been identified in the presale contract.

<br />

### Mainnet Addresses

`TBA`

<br />

### Presale Contract

Ethers contributed by participants to the presale contract are immediately transferred to the presale wallet, reducing any risk of the loss
of ethers in this bespoke smart contract.

No tokens are generated for these contributions.

<br />

<hr />

## Table Of Contents

* [Summary](#summary)
* [Recommendations](#recommendations)
* [Potential Vulnerabilities](#potential-vulnerabilities)
* [Scope](#scope)
* [Limitations](#limitations)
* [Due Diligence](#due-diligence)
* [Risks](#risks)
* [Testing](#testing)
* [Code Review](#code-review)

<br />

<hr />

## Recommendations

* **LOW IMPORTANCE** Use the OpenZeppelin *Claimable* contract instead of the *Ownable* contract to provide more safety during the
ownership transfer process

* **LOW IMPORTANCE** The variable `PresaleOracles.rate` is unused and can be removed

* **LOW IMPORTANCE** Consider adding the logging of an event for each contribution, like `Contribution(address investor, uint investorAmount, uint investorTotal, uint totalAmount)`.
This data can then be easily extracted using a script, if there are many individual contributions

* **LOW IMPORTANCE** `BasicToken` can be replaced with the `ERC20Basic` interface in `PresaleOracles.claimTokens(...)`, and the `BasicToken`
contract source code can be removed

<br />

<hr />

## Potential Vulnerabilities

No potential vulnerabilities have been identified in the presale contract.

<br />

<hr />

## Scope

This audit is into the technical aspects of the presale contract. The primary aim of this audit is to ensure that funds
contributed to this contract is not easily attacked or stolen by third parties. The secondary aim of this audit is that
ensure the coded algorithms work as expected. This audit does not guarantee that that the code is bugfree, but intends to
highlight any areas of weaknesses.

<br />

<hr />

## Limitations

This audit makes no statements or warranties about the viability of the Oracles Network's business proposition, the individuals
involved in this business or the regulatory regime for the business model.

<br />

<hr />

## Due Diligence

As always, potential participants in any crowdsale are encouraged to perform their due diligence on the business proposition
before funding any crowdsales.

Potential participants are also encouraged to only send their funds to the official crowdsale Ethereum address, published on
the crowdsale beneficiary's official communication channel.

Scammers have been publishing phishing address in the forums, twitter and other communication channels, and some go as far as
duplicating crowdsale websites. Potential participants should NOT just click on any links received through these messages.
Scammers have also hacked the crowdsale website to replace the crowdsale contract address with their scam address.

Potential participants should also confirm that the verified source code on EtherScan.io for the published crowdsale address
matches the audited source code, and that the deployment parameters are correctly set, including the constant parameters.

<br />

<hr />

## Risks

* This presale contract has a low risk of having the ETH hacked or stolen, as any contributions by participants are immediately transferred
to the presale wallet.

<br />

<hr />

## Testing

The following functions were tested using the script [test/01_test1.sh](test/01_test1.sh) with the summary results saved
in [test/test1results.txt](test/test1results.txt) and the detailed output saved in [test/test1output.txt](test/test1output.txt):

* [x] Deploy Presale contract
* [x] Initialise contract
* [x] Whitelist accounts
* [x] Blacklist accounts
* [x] Send contributions for whitelisted addresses and blacklisted address (expecting failure)

<br />

<hr />
Expand All @@ -29,3 +141,42 @@ Commits [5bc4391](https://github.com/oraclesorg/oracles-presale/commit/5bc439115
* [x] contract ERC20Basic
* [x] contract BasicToken is ERC20Basic
* [x] contract PresaleOracles is Ownable

<br />

The following warning messages are generated when using the Solidity compiler 0.4.18 and are of low importance, due to recent changes to the
Solidity compiler version:

```
$ solc_0.4.18 PresaleOracles_flat.sol
PresaleOracles_flat.sol:40:3: Warning: No visibility specified. Defaulting to "public".
function Ownable() {
^
Spanning multiple lines.
PresaleOracles_flat.sol:4:3: Warning: Function state mutability can be restricted to pure
function mul(uint256 a, uint256 b) internal constant returns (uint256) {
^
Spanning multiple lines.
PresaleOracles_flat.sol:10:3: Warning: Function state mutability can be restricted to pure
function div(uint256 a, uint256 b) internal constant returns (uint256) {
^
Spanning multiple lines.
PresaleOracles_flat.sol:17:3: Warning: Function state mutability can be restricted to pure
function sub(uint256 a, uint256 b) internal constant returns (uint256) {
^
Spanning multiple lines.
PresaleOracles_flat.sol:22:3: Warning: Function state mutability can be restricted to pure
function add(uint256 a, uint256 b) internal constant returns (uint256) {
^
Spanning multiple lines.
PresaleOracles_flat.sol:127:5: Warning: Function state mutability can be restricted to pure
function Presale() public {
^
Spanning multiple lines.
```

<br />

<br />

(c) BokkyPooBah / Bok Consulting Pty Ltd for Oracles Network - Nov 15 2017. The MIT Licence.
Loading

0 comments on commit 7c7d170

Please sign in to comment.