Skip to content

Instantly share code, notes, and snippets.

@RideSolo

RideSolo/ETH_phoenix_audit_report.md

Created October 8, 2018 09:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save RideSolo/452f1896b65dd0b2257844c41f7c5203 to your computer and use it in GitHub Desktop.
Save RideSolo/452f1896b65dd0b2257844c41f7c5203 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ETH_phoenix_audit_report.md

PHI Crowdsale Audit Report.

1. Summary

This document is a security audit report performed by RideSolo, where PHI Crowdsale has been reviewed.

2. In scope

3. Findings

5 issues were reported including:

  • 2 medium severity issues.

  • 3 low severity issues.

3.1. Token Minting

Severity: Medium

Description

  • mint(address _to, uint256 _amount, address _owner) function does not mint tokens but rather transfer tokens from _owner address to _to this allow transfer of tokens from any address to another address. mint is marked as internal, its usage is limited inside the contract and it won't harm any investor.

  • When the ICO end, if owner doesn't call ownerBurnToken the allocated tokens for the crowdsale will be kept by the owner in his wallet, since mint do not really mint but just transfer tokens from addressFundReferal or owner addresses.

  • mintingFinished member of MintableToken contract, is not intended be set to true at any moment inside all the Token and ICO logic.

Code snippet

https://github.com/vpomo/RideSolo/blob/master/contracts/PHICrowdsale.sol#L243#L253

3.2. ICO Rates

Severity: medium

Description

If a user buy tokens during the pre-ICO expecting ratePreIco to be applied and the tokenAllocated is higher than limitPreIco than the used rate will be rateIco, resulting in an amountOfTokens lower than expectations.

Code snippet

https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L385#L395

3.3. ICO Phases Time

Severity: low

Description

ICO phases can be started, extended or stoped at the owner will.

Code snippet

https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L495#L500

https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L507#L512

https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L518#L523

https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L529#L533

3.4. Minting Event

Severity: low

Description

mintForFund should emit Mint event after adding fund value to every address.

Code snippet

https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L443#L456

3.5. Known Issues of ERC20 Standard

Severity: low

Description

ERC20 Tokens have some well-known issues (listed below), This is just a reminder for the contract developers.

  • Approve + transferFrom mechanism allows double withdrawal attack.
  • Lack of transaction handling.

The above mentioned issues are well documented, a basic search can help to get more information.

4. Conclusion

Smart contracts are intended to be more autonomous than centralized applications, Crowdsale functions should be more decentralized to fully benefit from the trustless nature of the ethereum blockchain.

Multiple issues have been raised, the contract developers should fix them before deployment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment