Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SafeUpgradeableTokenERC20 #265

Closed
yuriy77k opened this issue May 29, 2019 · 10 comments
Closed

SafeUpgradeableTokenERC20 #265

yuriy77k opened this issue May 29, 2019 · 10 comments
Labels
approved Auditors can begin to audit this smart contract. solidity Smart-contract is written in solidity (Ethereum) language.

Comments

@yuriy77k
Copy link
Contributor

Audit request

The SafeUpgradeableTokenERC20 smart contract is an ERC20 token implementation created to serve the BOK token of the Blockium platform https://www.blockium.io/ which will be provided in an IEO on Bitforex in the beginning of June and then in an IEO on Coineal right after it. More information about BOK can be found in the Blockium link.
However the SafeUpgradeableTokenERC20 was a result of an extensive security recommendations research and it combines numerous security recommendations and best practices as described here: https://github.com/guylando/EthereumSmartContracts/blob/master/README.md#safeupgradeabletokenerc20-contract
It was open sourced and provided together with the 200+ unit tests publicly so that after its security level will be proven it will be available for other tokens creators who want to use a safe and secure ERC20 implementation which has many protection mechanisms and this way to make the general community and network more secure.
We will appreciate for SafeUpgradeableTokenERC20 to be audited by the Callisto network and we will gladly publish in the contract github afterwards that it was audited by the Callisto network.

Source code

https://github.com/guylando/EthereumSmartContracts/blob/master/SafeUpgradeableTokenERC20/contracts/SafeUpgradeableTokenERC20.sol

Disclosure policy

[email protected]

Platform

ETH

Number of lines:

394
@yuriy77k yuriy77k added approved Auditors can begin to audit this smart contract. solidity Smart-contract is written in solidity (Ethereum) language. labels May 29, 2019
@MrCrambo
Copy link

Auditing time 2 days

@yuriy77k
Copy link
Contributor Author

@MrCrambo assigned

@danbogd
Copy link

danbogd commented May 31, 2019

Auditing time 3 days.

@RideSolo
Copy link

Auditing time 2 days.

@yuriy77k
Copy link
Contributor Author

yuriy77k commented Jun 1, 2019

@danbogd @RideSolo assigned

@danbogd
Copy link

danbogd commented Jun 1, 2019

My report is finished.

@yuriy77k
Copy link
Contributor Author

yuriy77k commented Jun 9, 2019
edited
Loading

Safe Upgradeable Token ERC20 Security Audit Report

1. Summary

Safe Upgradeable Token ERC20 smart contract security audit report performed by Callisto Security Audit Department

2. In scope

3. Findings

In total, 2 issues were reported including:

  • 1 low severity issues.

  • 1 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).

No critical security issues were found.

3.1. Allowance Approval

Severity: low

Description

Following ERC20 standard, approve function "Allows _spender to withdraw from your account multiple times, up to the _value amount. If this function is called again it overwrites the current allowance with _value.", However the implemented function throw in case if allowed[msg.sender][_spender] is different than zero or _value different than zero. This partially solve double withdrawal attack but create incompatibility for some Dapps and do not allow the user to directly reduce the allowance creating a race between user and spender.

Code snippet

https://github.com/RideSolo/EthereumSmartContracts/blob/master/SafeUpgradeableTokenERC20/contracts/SafeUpgradeableTokenERC20.sol#L217#LL229

3.2. Owner Privilege

Severity: owner privileges

Description

The token owner allow himself to:

  • Pause/unpause tokens transfers / transferFrom / allowance allocation and approvals

Code snippet

https://github.com/RideSolo/EthereumSmartContracts/blob/master/SafeUpgradeableTokenERC20/contracts/SafeUpgradeableTokenERC20.sol#L505#L524

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

https://gist.github.com/yuriy77k/1dd50f527012fc0d18ba5cc8ea34edbe

https://gist.github.com/yuriy77k/c15a757737adcf079bd6e92156796231

https://gist.github.com/yuriy77k/c2c2132bcb35c54d82f4c2828990f500

@yuriy77k yuriy77k closed this as completed Jun 9, 2019
@guylando
Copy link

guylando commented Jun 9, 2019

@yuriy77k Thanks for the audit!
Correct me if I am wrong but in setUpgradeMaster there is a modifier validateAddress which DOES check for input address not being the zero address. Did 3.3 miss this modifier?

@yuriy77k
Copy link
Contributor Author

yuriy77k commented Jun 9, 2019 via email

@MillianoConti
Copy link

Reddit announcement

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
approved Auditors can begin to audit this smart contract. solidity Smart-contract is written in solidity (Ethereum) language.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@MrCrambo @guylando @danbogd @RideSolo @yuriy77k @MillianoConti