This document is a security audit report performed by RideSolo, where Twogap Token has been reviewed.
Symbol : TGT
Name : Twogap Token
Total supply: 210,000,000,000
Decimals : 18
Standard : ERC20
3 issues were reported including:
- 3 low severity issues.
If an address receives bounties twice or more the bounties value of the address is not accumulated, meaning that the vesting logic implemented in transfer function will not lock the bounties allowed before the last call to bountyWithdraw
.
function bountyWithdraw(address to, uint256 value) public onlyOwner returns (bool) {
withdraw(to, value);
bounties[to] = value;
return true;
}
function _transfer(address from, address to, uint256 value) internal {
require(to != address(0));
if (block.timestamp < bountyLockTime3Month) {
require(_balances[from].sub(value) >= bounties[from]);
} else if(block.timestamp < bountyLockTime6Month) {
require(_balances[from].sub(value) >= (bounties[from] * 9 / 10));
} else if(block.timestamp < bountyLockTime12Month) {
require(_balances[from].sub(value) >= (bounties[from] * 6 / 10));
}
_balances[from] = _balances[from].sub(value);
_balances[to] = _balances[to].add(value);
emit Transfer(from, to, value);
}
change bounties[to] = value
to bounties[to] = bounties[to].add(value)
decreaseAllowance
throw in case if the value to be substracted is higher than the amount that is allowed, if the address owner wants to change the value allowed by reducing it and the spender withdraw a part of it before, the function might throw and give more chances for the spender to take the rest of the allowed value.
The value should be set to zero if the value to be subtracted is higher than the allowance.
function decreaseAllowance(address spender, uint256 subtractedValue) public returns (bool) {
require(spender != address(0));
_allowed[msg.sender][spender] = _allowed[msg.sender][spender].sub(subtractedValue);
emit Approval(msg.sender, spender, _allowed[msg.sender][spender]);
return true;
}
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Add the following code to the function _transfer(address from, address to, uint256 value)
function:
require( _to != address(this) );
The audited contract is safe, however issue 3.1 should be fixed.