-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
- 1 - Table of Contents
- 2 - Table of Contents
- 3 - Introduction
- 3.1 - Authenticity
- 3.2 - Audit Goals and Focus
- 3.2.1 - Smart Contract Best Practices
- 3.2.2 - Code Correctness
- 3.2.3 - Code Quality
- 3.2.4 - Security
- 3.2.5 - Testing and testability
- 3.3 - About ChainLink
- 3.4 - Terminology
- 3.4.1 - Likelihood
- 3.4.2 - Impact
- 3.4.3 - Severity
- 4 - Overview
- 4.1 - Source Code
- 4.2 - General Notes
- 4.3 - Contracts
- 4.4 - Testing
- 5 - Findings
- 5.1 - Note Issues
- 5.2 - Low Issues
- 5.3 - Medium Issues
- 5.4 - High Issues
- 5.5 - Critical Issues
On 2017-09-05 through 2017-09-14, Nick Johnson performed an audit of the ChainLink smart contracts. My findings are detailed below.
I, Nick Johnson have no stake or vested interest in SmartContract. This audit was performed under a contracted hourly rate with no other compensation.
This document should have an attached cryptographic signature to ensure it has not been tampered with. The signature can be verified using the public key from Nick Johnson's keybase.io record.
This audit will evaluate whether the codebase follows the current established best practices for smart contract development.
This audit will evaluate whether the code does what it is intended to do.
This audit will evaluate whether the code has been written in a way that ensures readability and maintainability.
This audit will look for any exploitable security vulnerabilities, or other potential threats to either the operators of ChainLink or its users.
This audit will examine how easily tested the code is, and review how thoroughly tested the code is.
ChainLink is a standard ERC20 and ERC677 token intended as a utility token for smartcontract.com's decentralized oracle network.
This audit uses the following terminology.
How likely a bug is to be encountered or exploited in the wild, as specified by the OWASP risk rating methodology.
The impact a bug would have if exploited, as specified by the OWASP risk rating methodology.
How serious the issue is, derived from Likelihood and Impact as specified by the OWASP risk rating methodology.
The ChainLink smart contract source code was made available in the smartcontractkit/LinkToken Github repository.
The code was audited as of commit 6a60e91b3d95f95f44c6480aef8211396d3bdf33
.
The following files were audited:
SHA1(./contracts/ERC677Token.sol)= 3197d8ce07deba03d6ad4a66ed9f4af84a6fc9af
SHA1(./contracts/LinkToken.sol)= 37475acc61c65ed9948130d93a6c03cf73974c76
SHA1(./contracts/math/SafeMath.sol)= 261547c9ef0d08453e6b7ddd4082d000234268de
SHA1(./contracts/token/BasicToken.sol)= b47237894910d926cce0543d9f1a5f8c82f7f5cb
SHA1(./contracts/token/ERC20.sol)= adc69ef924472ebfad212b0da86379473c88e6b3
SHA1(./contracts/token/ERC20Basic.sol)= b3a598f8444702646cc626d7ffd4d8127c0164c7
SHA1(./contracts/token/ERC677.sol)= 6b5c5e913aee36c7ad09d939083a731c98163f27
SHA1(./contracts/token/ERC677Receiver.sol)= 246d2f303f792a28e088c6c8d70d8c920b0f4122
SHA1(./contracts/token/StandardToken.sol)= 93c1a241476a744785a3bf24b10213098b564fb0
The code is generally well written and well modularised, with cleanly abstracted interface and base contracts. This made auditing significantly easier, and in my view the probability of hidden bugs is low.
LinkToken
implements the main ERC20 & ERC677 token, and inherits most of its
functionality from Standard677Token
, which in turn inherits most of its
functionality from StandardToken
, which in turn inherits some functionality
from BasicToken
. Other contracts provide interfaces required by the main contracts.
A fairly complete set of unit tests is provided. Unit tests are clearly written and easy to follow.
Testing is described in the README and is straightforward, but requires running a separate server process. No automated build is set up for the repository.
We recommend setting up an automated build, so new commits can be vetted against the existing test suite.
We found no issues that required attention.
None found.
None found.
None found.
None found.
None found. -----BEGIN PGP SIGNATURE----- Version: Keybase OpenPGP v2.0.73 Comment: https://keybase.io/crypto
wsFcBAABCgAGBQJZuslkAAoJEG2WSZMvKV0Sr5UP/0O/3J+IJ2lEuSL/wJsKaLTG hcPiMr7dtdXobSM2MAdGHa6y15QSmnT7e1XkXwBmfRvlA7L6Vv9a7dRyPWzN++Jj uULWekyRD+ZzJFRY6aDb0bLjBE4078uyA2FAzWPgBcHfObUprA7jjFVXNrAVQTAZ E8TUBGweqsLKoYkCncJPfA14/PmsfqGBcxzDSqJPZEDLciOa2XXoFHLiZEgT7SSG jwnTc0YcbcAf0JG1JD21vkOEco4SlDXGRGFGJslmYvRwg9F5aOjGhxc2qwb/NsTU PKDNVjwPmXYTuNujWp7uGRC8KV+Ft7CVN14sYQk+bZ7tZhebBkmHJ5Es5wZvLx5H vZVdo8Qa0pXayOX8QNYXQuaoSvOf/0aA4geeRlrEMdD/I6uLFTu/PreHC6PstDQq cAWetCWIraOyHdlBEwVTqK0HxdEyVU9icm+5H+4A8FFWNnIuGE0TD4j1B3mkusIi sE8Zqyp0Zg6/XVeJfK/vUHO6VP29HbHye3LL19AU4ZUvgEyq/GyhLxDV/u4zV5NG sjVhckHtr2G2Z3X0+8dq5MeDNcUEfQ3C4Hy7wLdr/LCgPJs7T3VfuJFwWo5uYWij uAWsEqZUjjYiJlSG5/FYNwYquaLc/OKhLndFkN28p6ygXwLChzrDwh5Y68xysnPg nRstMM862dw7bFtjya5g =24IK -----END PGP SIGNATURE-----