This document is a security audit report performed by RideSolo, where PHI Crowdsale has been reviewed.
- PHICrowdsale.sol github commit hash c0eeedc616935ce2cf72191567c05bc705e983a1.
5 issues were reported including:
-
2 medium severity issues.
-
3 low severity issues.
-
mint(address _to, uint256 _amount, address _owner)
function does not mint tokens but rather transfer tokens from_owner
address to_to
this allow transfer of tokens from any address to another address.mint
is marked as internal, its usage is limited inside the contract and it won't harm any investor. -
When the ICO end, if owner doesn't call
ownerBurnToken
the allocated tokens for the crowdsale will be kept by the owner in his wallet, since mint do not really mint but just transfer tokens fromaddressFundReferal
orowner
addresses. -
mintingFinished
member ofMintableToken
contract, is not intended be set totrue
at any moment inside all the Token and ICO logic.
https://github.com/vpomo/RideSolo/blob/master/contracts/PHICrowdsale.sol#L243#L253
If a user buy tokens during the pre-ICO expecting ratePreIco
to be applied and the tokenAllocated
is higher than limitPreIco
than the used rate will be rateIco
, resulting in an amountOfTokens
lower than expectations.
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L385#L395
ICO phases can be started, extended or stoped at the owner will.
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L495#L500
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L507#L512
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L518#L523
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L529#L533
mintForFund
should emit Mint
event after adding fund value to every address.
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L443#L456
ERC20 Tokens have some well-known issues (listed below), This is just a reminder for the contract developers.
- Approve + transferFrom mechanism allows double withdrawal attack.
- Lack of transaction handling.
The above mentioned issues are well documented, a basic search can help to get more information.
Smart contracts are intended to be more autonomous than centralized applications, Crowdsale functions should be more decentralized to fully benefit from the trustless nature of the ethereum blockchain.
Multiple issues have been raised, the contract developers should fix them before deployment.