Skip to content

Instantly share code, notes, and snippets.

@Dexaran

Dexaran/Report.md

Last active August 3, 2017 22:48
Show Gist options
  • Save Dexaran/e60cefbd9098a4482a39a95aa8415e6d to your computer and use it in GitHub Desktop.
Save Dexaran/e60cefbd9098a4482a39a95aa8415e6d to your computer and use it in GitHub Desktop.
Download ZIP
CORION audit report
Raw
Report.md

CORION platform audit report

Summary

This is the report from a security audit performed on CORION platform by Dexaran. The audit focused primarily on the fault tolerance of the system. I can conclude that smart-contracts were not in the final state at the time of the audit start, and the changes were applied during the audit process, which made it more time consuming.

The whole system is modular. Contracts are upgradeable. The debug mode allows to intervene into contracts workflow to fix any error during the contracts workflow.

Findings

I will not describe each reported issue and each function here because of the size of the contracts. All the work is transparently available on github repo.

In total, 78 issues were reported including 6 critical issues(#1, #2, #3, #4, #5, #6), 2 compiler-related issues (#1, #2), 1 EVM-related issue (#1).

In scope

  1. announcementTypes.sol

  2. ico.sol

  3. module.sol

  4. moduleHandler.sol

  5. owned.sol

  6. premium.sol

  7. publisher.sol

  8. token.sol

  9. tokenDB.sol

Specification

A version of CORION platform ( commit hash bbb992e14b02d00669c4f4653f0f97a4aacf59d1 ) was deployed on Rinkeby testnet.

Two sessions of bug bounty were launched.

Limited time frame

The whole system of CORION smart-contracts is very complex and interaction between contracts is complicated also. Contracts were not in the final state at the time of the audit beginning. Suggested changes were applied during the audit process. The system was not fully covered with automated tests.

As the result it was impossible to test every aspect and fully cover the whole system with tests due to limited time frame.

Code readability

Code is hard to read, hard to verify which increases the probability of mistake and makes it harder to track them.

Superfluous functionality

The code is complicated by functionality that is not necessary for the workflow of contracts. Since any part of code potentially creates a field for error, I would recommend to exclude unnecessary functions from the contracts.

Such are:

  1. Approval functionality. Deprecated functionality due to fix of stack depth attack at EIP 150.

  2. Affiliate program.

  3. Duplicated functions.

  4. Duplicated implementations.

  5. The restrictions that the CORION Foundation sets for itself. #1 and #2.

Recent updates

Not all contracts were finished at the moment of audit. Some changes were made very recently. Every new change and bug fix has a probability of introducing new bugs/flaws that should also be tracked.

Conclusion

Due to the lack of testing coverage and recent changes, I recommend to complete the development of the whole contracts system first.

A full and complex testing of the whole system must be performed after the final version of contracts will be established to cover recent updates. It is highly recommended to deploy the whole finished system on testnet first.

Also, I would recommend to launch a bug bounty on the whole system of contracts after finalizing of the development of all contracts.

I will recommend to apply changes before deploying contracts.

@drd34d
Copy link

drd34d commented Jul 29, 2017

any guarantee that they'll fix and audit again after completeness?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment