This is the report from a security audit performed on CryptoAds smart contract (ETH) by alexo18. The audit focused primarily on the security of funds and fault tolerance of the CryptoAds contract. The main intention of this contract is to serve as utility token for advertisement platform CryptoAds (based on CFC.io)
In total, 4 issues were reported including:
- 1 medium severity issues.
- 3 low severity issues.
The 'address _to' parameter is not inspected for '0x0' value,so it is possible to accidentally send tokens to 0x0 address.
https://gist.github.com/yuriy77k/6f636b466df04c8ae0cc24e56b28e51a#L69#L214
Use a 'require' statement to inspect the parameter.
Some contract functions return '0' value in case if input conditions not met, but the caller may just not check the return value and expect a 'throw'.
A good code practice is to make your code fail as promptly and as loudly as possible.
Also state-reverting exception will bubble up and revert changes made to the entire stack.
https://gist.github.com/yuriy77k/6f636b466df04c8ae0cc24e56b28e51a#L196#L217#L355#L370#L389#L401
Some input parameters checks are excessive because their fulfillment is guaranteed by the SafeMath ,but, of course, SafeMath will 'throw'.
https://gist.github.com/yuriy77k/6f636b466df04c8ae0cc24e56b28e51a#L196#L217#L401
There is a possibility when user accidentally calls the 'AbstractToken.approve(address _spender, uint256 _value)' function, instead of overloaded version from the 'CryptoAdsToken' contract, thereby creating an opportunity for the double withdrawal attack.
Change the 'AbstractToken.approve(address _spender, uint256 _value)' access classifier to 'internal'.
No critical vulnerabilities were detected ,but we highly recommend to complete other bugs before use.