Skip to content

Instantly share code, notes, and snippets.

@Arachnid
Last active Mar 13, 2019
Embed
What would you like to do?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Section 1 - Table of Contents

Section 2 - Table of Contents

Section 3 - Introduction

On 2017-09-05 through 2017-09-14, Nick Johnson performed an audit of the ChainLink smart contracts. My findings are detailed below.

I, Nick Johnson have no stake or vested interest in SmartContract. This audit was performed under a contracted hourly rate with no other compensation.

3.1 Authenticity

This document should have an attached cryptographic signature to ensure it has not been tampered with. The signature can be verified using the public key from Nick Johnson's keybase.io record.

3.2 Audit Goals and Focus

3.2.1 Smart Contract Best Practices

This audit will evaluate whether the codebase follows the current established best practices for smart contract development.

3.2.2 Code Correctness

This audit will evaluate whether the code does what it is intended to do.

3.2.3 Code Quality

This audit will evaluate whether the code has been written in a way that ensures readability and maintainability.

3.2.4 Security

This audit will look for any exploitable security vulnerabilities, or other potential threats to either the operators of ChainLink or its users.

3.2.5 Testing and testability

This audit will examine how easily tested the code is, and review how thoroughly tested the code is.

3.3 About ChainLink

ChainLink is a standard ERC20 and ERC677 token intended as a utility token for smartcontract.com's decentralized oracle network.

3.4 Terminology

This audit uses the following terminology.

3.4.1 Likelihood

How likely a bug is to be encountered or exploited in the wild, as specified by the OWASP risk rating methodology.

3.4.2 Impact

The impact a bug would have if exploited, as specified by the OWASP risk rating methodology.

3.4.3 Severity

How serious the issue is, derived from Likelihood and Impact as specified by the OWASP risk rating methodology.

Section 4 - Overview

4.1 Source Code

The ChainLink smart contract source code was made available in the smartcontractkit/LinkToken Github repository.

The code was audited as of commit 6a60e91b3d95f95f44c6480aef8211396d3bdf33.

The following files were audited:

SHA1(./contracts/ERC677Token.sol)= 3197d8ce07deba03d6ad4a66ed9f4af84a6fc9af
SHA1(./contracts/LinkToken.sol)= 37475acc61c65ed9948130d93a6c03cf73974c76
SHA1(./contracts/math/SafeMath.sol)= 261547c9ef0d08453e6b7ddd4082d000234268de
SHA1(./contracts/token/BasicToken.sol)= b47237894910d926cce0543d9f1a5f8c82f7f5cb
SHA1(./contracts/token/ERC20.sol)= adc69ef924472ebfad212b0da86379473c88e6b3
SHA1(./contracts/token/ERC20Basic.sol)= b3a598f8444702646cc626d7ffd4d8127c0164c7
SHA1(./contracts/token/ERC677.sol)= 6b5c5e913aee36c7ad09d939083a731c98163f27
SHA1(./contracts/token/ERC677Receiver.sol)= 246d2f303f792a28e088c6c8d70d8c920b0f4122
SHA1(./contracts/token/StandardToken.sol)= 93c1a241476a744785a3bf24b10213098b564fb0

4.2 General Notes

The code is generally well written and well modularised, with cleanly abstracted interface and base contracts. This made auditing significantly easier, and in my view the probability of hidden bugs is low.

4.3 Contracts

LinkToken implements the main ERC20 & ERC677 token, and inherits most of its functionality from Standard677Token, which in turn inherits most of its functionality from StandardToken, which in turn inherits some functionality from BasicToken. Other contracts provide interfaces required by the main contracts.

4.4 Testing

A fairly complete set of unit tests is provided. Unit tests are clearly written and easy to follow.

Testing is described in the README and is straightforward, but requires running a separate server process. No automated build is set up for the repository.

We recommend setting up an automated build, so new commits can be vetted against the existing test suite.

Section 5 - Findings

We found no issues that required attention.

5.1 Note Issues

None found.

5.2 Low Issues

None found.

5.3 Medium Issues

None found.

5.4 High Issues

None found.

5.5 Critical Issues

None found. -----BEGIN PGP SIGNATURE----- Version: Keybase OpenPGP v2.0.73 Comment: https://keybase.io/crypto

wsFcBAABCgAGBQJZuslkAAoJEG2WSZMvKV0Sr5UP/0O/3J+IJ2lEuSL/wJsKaLTG hcPiMr7dtdXobSM2MAdGHa6y15QSmnT7e1XkXwBmfRvlA7L6Vv9a7dRyPWzN++Jj uULWekyRD+ZzJFRY6aDb0bLjBE4078uyA2FAzWPgBcHfObUprA7jjFVXNrAVQTAZ E8TUBGweqsLKoYkCncJPfA14/PmsfqGBcxzDSqJPZEDLciOa2XXoFHLiZEgT7SSG jwnTc0YcbcAf0JG1JD21vkOEco4SlDXGRGFGJslmYvRwg9F5aOjGhxc2qwb/NsTU PKDNVjwPmXYTuNujWp7uGRC8KV+Ft7CVN14sYQk+bZ7tZhebBkmHJ5Es5wZvLx5H vZVdo8Qa0pXayOX8QNYXQuaoSvOf/0aA4geeRlrEMdD/I6uLFTu/PreHC6PstDQq cAWetCWIraOyHdlBEwVTqK0HxdEyVU9icm+5H+4A8FFWNnIuGE0TD4j1B3mkusIi sE8Zqyp0Zg6/XVeJfK/vUHO6VP29HbHye3LL19AU4ZUvgEyq/GyhLxDV/u4zV5NG sjVhckHtr2G2Z3X0+8dq5MeDNcUEfQ3C4Hy7wLdr/LCgPJs7T3VfuJFwWo5uYWij uAWsEqZUjjYiJlSG5/FYNwYquaLc/OKhLndFkN28p6ygXwLChzrDwh5Y68xysnPg nRstMM862dw7bFtjya5g =24IK -----END PGP SIGNATURE-----

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment