This is the report from a security audit performed on ETC TokenMint by Il Kadyrov.
The audit focused primarily on the security of TokenMint contracts.
- https://github.com/ethereumproject/TokenMint/blob/master/contracts/metaTokenmint.sol
- https://github.com/ethereumproject/TokenMint/blob/master/contracts/registry.sol
- https://github.com/ethereumproject/TokenMint/blob/master/contracts/deployed/crowdsale.sol
- https://github.com/ethereumproject/TokenMint/blob/master/contracts/deployed/icoMachine.sol
- https://github.com/ethereumproject/TokenMint/blob/master/contracts/deployed/manReg.sol
In total, 12 issues were reported including:
-
4 high severity issues.
-
3 medium severity issues.
-
3 low severity issues.
-
2 minor observation.
onlyOwner modifier has different structure in each smart contract, need to create one smart contract and use it in each other and in registry.sol it will not throw as, if we are not owner.
Rewrite onlyOwner modifier and use same in each smart contract or better to use OpenZeppelins' smart contracts. modifier onlyOwner() { require(msg.sender == owner); _; }
Modifier costs will not throw, if sent value less than price.
Write using require or use throw if msg.value less than price.
3. Wrong onlyAdmin modifier in files registry.sol (lines 175-185), manReg.sol(lines 220-226), metaTokenmint.sol(lines 114-120).
Modifier onlyAdmin will not throw, if msg.sender is admin because of incorrect code.
Write using require or throw after for loop, if there is no admin
Modifier onlyAdmin will not throw, if msg.sender is admin because of incorrect code.
Write using require or throw after for loop, if there is no admin
In each audited files need to use SafeMath, because there are possibilities to get overflow or underflow.
Use SafeMath from OpenZeppelin.
6. Rewrite withdraw function for ptotecting from spending gas on transactions in registry.sol(lines 120-130) and manReg.sol(105-115).
There are possibility to spend gas for transaction, if it will revert in if statement.
Rewrite function with using require instead of if statement.
7. Rewrite safeWithdrawal function for ptotecting from spending gas on transactions in crowdsale.sol(lines 61-82).
There are possibility to spend gas for transaction, if it will revert in one of two if statements.
Rewrite function with using require instead of if statement.
Used assert for checking if it's not zero address
Rewrite using require.
Used solidity version is old.
Need to use one of the latest version of solidity.
There are new selfdestruct function instead of suicide.
Need to change suicide function to selfdestruct.
Used existing values as params name in event. (line 13)
Change variables names.
Used variable with name kontract. (line 40)
Change variable name to correct one.
This smart contract has some high severity vulnerabilities.
Any further changes to the contracts will leave them in unaudited state.
Four high severity vulnerabilities were detected. The reported issues can directly hurt the TokenMint smart contracts.
You need to fix all high severity issues and we highly recommend you to complete other bug bounty before use.