This is the report from a security audit performed on Call by MrCrambo.
The audit focused primarily on the security of Call smart contracts.
- interfaces/IERC664.sol
- interfaces/IERC777.sol
- interfaces/IERC777TokensRecipient.sol
- interfaces/IERC664TokensSender.sol
- misc/ERC664Balances.sol
- misc/SafeGuard.sol
- test/EIP20.sol
- test/Test.sol
- test/TestTokensRecipient.sol
- test/TestTokensSender.sol
- token/ERC777.sol
- token/ERC777ERC20Compat.sol
- token/ERC777RemoteBridge.sol
- CALL.sol
- CStore.sol
In total, 7 issues were reported including:
-
0 high severity issues.
-
2 medium severity issues.
-
3 owner privilegies issues.
-
2 low severity issues.
-
0 notes.
There are no zero address checking in functions setModule, incBalance, decBalance in misc/ERC664Balances.sol contract, in functions transfer and transferFrom in test/EIP20.sol, .
- Owner can increase and decrease any users balances in
misc/ERC664Balances.solcontract. - Owner can change balance database in line 32 at
CStore.solcontract, that could be risky for investors. - Owner can enable and disable
ERC20Token.
Owner can increase totalSupply as much as he wants and it could be risky to investors in misc/ERC664Balances.sol contract.
Add cap that should be equal to max total supply and check, that your current totalSupply is less than this cap.
Owner can decrease totalSupply as much, that totalSupply will be less than all tokens hold by users in misc/ERC664Balances.sol contract.
Add checking, that decreased totalSupply will be greater than tokens hold by users.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. More details here
Add into a function transfer(address _to, ... ) following code:
require( _to != address(this) );Smart contract contains medium severity issues.