Arachnid/linkaudit.md Secret

## linkaudit.md

      
    Raw
  

              linkaudit.md
            
          
    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Section 1 - Table of Contents


1 - Table of Contents
2 - Table of Contents
3 - Introduction

3.1 - Authenticity
3.2 - Audit Goals and Focus

3.2.1 - Smart Contract Best Practices
3.2.2 - Code Correctness
3.2.3 - Code Quality
3.2.4 - Security
3.2.5 - Testing and testability


3.3 - About ChainLink
3.4 - Terminology

3.4.1 - Likelihood
3.4.2 - Impact
3.4.3 - Severity


4 - Overview

4.1 - Source Code
4.2 - General Notes
4.3 - Contracts
4.4 - Testing


5 - Findings

5.1 - Note Issues
5.2 - Low Issues
5.3 - Medium Issues
5.4 - High Issues
5.5 - Critical Issues


 Section 2 - Table of Contents

 Section 3 - Introduction

On 2017-09-05 through 2017-09-14, Nick Johnson performed an audit of the ChainLink smart
contracts. My findings are detailed below.
I, Nick Johnson have no stake or vested interest in SmartContract. This audit
was performed under a contracted hourly rate with no other compensation.
 3.1 Authenticity

This document should have an attached cryptographic signature to ensure it has not been tampered with.  The signature can be verified using the public key from Nick Johnson's keybase.io record.
 3.2 Audit Goals and Focus

 3.2.1 Smart Contract Best Practices

This audit will evaluate whether the codebase follows the current established
best practices for smart contract development.
 3.2.2 Code Correctness

This audit will evaluate whether the code does what it is intended to do.
 3.2.3 Code Quality

This audit will evaluate whether the code has been written in a way that
ensures readability and maintainability.
 3.2.4 Security

This audit will look for any exploitable security vulnerabilities, or other
potential threats to either the operators of ChainLink or its users.
 3.2.5 Testing and testability

This audit will examine how easily tested the code is, and review how thoroughly
tested the code is.
 3.3 About ChainLink

ChainLink is a standard ERC20 and ERC677 token intended as a utility token for
smartcontract.com's decentralized oracle network.
 3.4 Terminology

This audit uses the following terminology.
 3.4.1 Likelihood

How likely a bug is to be encountered or exploited in the wild, as specified by the
OWASP risk rating methodology.
 3.4.2 Impact

The impact a bug would have if exploited, as specified by the
OWASP risk rating methodology.
 3.4.3 Severity

How serious the issue is, derived from Likelihood and Impact as specified by the OWASP risk rating methodology.
 Section 4 - Overview

 4.1 Source Code

The ChainLink smart contract source code was made available in the smartcontractkit/LinkToken Github repository.
The code was audited as of commit 6a60e91b3d95f95f44c6480aef8211396d3bdf33.
The following files were audited:
SHA1(./contracts/ERC677Token.sol)= 3197d8ce07deba03d6ad4a66ed9f4af84a6fc9af
SHA1(./contracts/LinkToken.sol)= 37475acc61c65ed9948130d93a6c03cf73974c76
SHA1(./contracts/math/SafeMath.sol)= 261547c9ef0d08453e6b7ddd4082d000234268de
SHA1(./contracts/token/BasicToken.sol)= b47237894910d926cce0543d9f1a5f8c82f7f5cb
SHA1(./contracts/token/ERC20.sol)= adc69ef924472ebfad212b0da86379473c88e6b3
SHA1(./contracts/token/ERC20Basic.sol)= b3a598f8444702646cc626d7ffd4d8127c0164c7
SHA1(./contracts/token/ERC677.sol)= 6b5c5e913aee36c7ad09d939083a731c98163f27
SHA1(./contracts/token/ERC677Receiver.sol)= 246d2f303f792a28e088c6c8d70d8c920b0f4122
SHA1(./contracts/token/StandardToken.sol)= 93c1a241476a744785a3bf24b10213098b564fb0

 4.2 General Notes

The code is generally well written and well modularised, with cleanly abstracted
interface and base contracts. This made auditing significantly easier, and in my
view the probability of hidden bugs is low.
 4.3 Contracts

LinkToken implements the main ERC20 & ERC677 token, and inherits most of its
functionality from Standard677Token, which in turn inherits most of its
functionality from StandardToken, which in turn inherits some functionality
from BasicToken. Other contracts provide interfaces required by the main contracts.
 4.4 Testing

A fairly complete set of unit tests is provided. Unit tests are clearly written
and easy to follow.
Testing is described in the README and is straightforward, but requires running
a separate server process. No automated build is set up for the repository.
We recommend setting up an automated build, so new commits can be vetted against
the existing test suite.
 Section 5 - Findings

We found no issues that required attention.
 5.1 Note Issues

None found.
 5.2 Low Issues

None found.
 5.3 Medium Issues

None found.
 5.4 High Issues

None found.
 5.5 Critical Issues

None found.
-----BEGIN PGP SIGNATURE-----
Version: Keybase OpenPGP v2.0.73
Comment: https://keybase.io/crypto
wsFcBAABCgAGBQJZuslkAAoJEG2WSZMvKV0Sr5UP/0O/3J+IJ2lEuSL/wJsKaLTG
hcPiMr7dtdXobSM2MAdGHa6y15QSmnT7e1XkXwBmfRvlA7L6Vv9a7dRyPWzN++Jj
uULWekyRD+ZzJFRY6aDb0bLjBE4078uyA2FAzWPgBcHfObUprA7jjFVXNrAVQTAZ
E8TUBGweqsLKoYkCncJPfA14/PmsfqGBcxzDSqJPZEDLciOa2XXoFHLiZEgT7SSG
jwnTc0YcbcAf0JG1JD21vkOEco4SlDXGRGFGJslmYvRwg9F5aOjGhxc2qwb/NsTU
PKDNVjwPmXYTuNujWp7uGRC8KV+Ft7CVN14sYQk+bZ7tZhebBkmHJ5Es5wZvLx5H
vZVdo8Qa0pXayOX8QNYXQuaoSvOf/0aA4geeRlrEMdD/I6uLFTu/PreHC6PstDQq
cAWetCWIraOyHdlBEwVTqK0HxdEyVU9icm+5H+4A8FFWNnIuGE0TD4j1B3mkusIi
sE8Zqyp0Zg6/XVeJfK/vUHO6VP29HbHye3LL19AU4ZUvgEyq/GyhLxDV/u4zV5NG
sjVhckHtr2G2Z3X0+8dq5MeDNcUEfQ3C4Hy7wLdr/LCgPJs7T3VfuJFwWo5uYWij
uAWsEqZUjjYiJlSG5/FYNwYquaLc/OKhLndFkN28p6ygXwLChzrDwh5Y68xysnPg
nRstMM862dw7bFtjya5g
=24IK
-----END PGP SIGNATURE-----