Skip to content

Instantly share code, notes, and snippets.

@KenMan79

KenMan79/BSB_SmartSwapETHBNB_report.md

Forked from yuriy77k/BSB_SmartSwapETHBNB_report.md
Created June 28, 2021 05:22
Show Gist options
  • Save KenMan79/0aded4d2b343aeaed140a7b58097ed97 to your computer and use it in GitHub Desktop.
Save KenMan79/0aded4d2b343aeaed140a7b58097ed97 to your computer and use it in GitHub Desktop.
Download ZIP
SmartSwap ETHBNB Security Audit Report
Raw
BSB_SmartSwapETHBNB_report.md

SmartSwap ETHBNB Security Audit Report

1. Summary

SmartSwap ETHBNB smart contract security audit report performed by Callisto Security Audit Department

The Smart Swap contract allows swapping ETH <> BNB and ERC20 <> BEP20 tokens by face value. It uses Oracle to get the price of tokens at the moment of swap.

2. In scope

Commit f2b3d82c8ed0d61cfd99621fea8cca6a798c9ead

3. Findings

In total, 4 issues were reported including:

  • 0 high severity issues.

  • 0 medium severity issues.

  • 0 low severity issues.

  • 4 owner privileges.

No critical security issues were found.

3.1. Owner privileges

Severity: owner privileges

Description

  1. Owner can change company fee.
  2. Owner can change factory contract to the new contract.
  3. Owner can change validator contract.
  4. Owner can change Oracle contract.

Since tokens swapping correctness completely relies on the Validator response and the Validator contract relies on the Oracle response the owner may change those contracts to make swapping unfair (or steal money).

4. Conclusion

The audited smart contract can be deployed. No direct security issues were found during the audit. But the users have to take note of the owner's rights and have to trust the SmartSwap owner and Oracle that used in the SmartSwap contract.

5. Revealing audit reports

https://gist.github.com/MrCrambo/0e1e527980b6bc790ad3301fd56687da

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment