This is the report from a security audit performed on SmartToken by gorbunovperm.
Commit hash: fb69ef918a4b2ef2c5825a4190810032e7accff0
https://github.com/jointerinc/smartToken/tree/fb69ef918a4b2ef2c5825a4190810032e7accff0
In total, 5 issues were reported including:
-
0 high severity issue.
-
1 medium severity issues.
-
1 low severity issues.
-
2 owner privileges.
-
1 note.
Reward depends on the duration of staking and on the amount of staking tokens. In the common case when the balance increasses then reward is paid and staking starts again with the updated balance and reseted staking period.
But in case of airdrop there is no staking period reset. This means that the staking start date remains the old one. And if the user stored even minimal funds without moving, for example, for a year, then when receiving an airdrop, in the next block, he can receive an annual reward for stacking the airdrop.
mint(), Increasing balance andstartBlockresetairdrop(), Increasing balance withoutstartBlockreset
If there are several airdrops for different amounts then the users received smaller quantity of tokens should unlock account for a doubled amount of last airdrop.
For example, there are two airdrops of 1 Smart and 3 Smarts for different users. Then users recieved 1 Smart should have 6 Smarts(instead of 2 Smarts) to unlock their account.
In addition, blocking the account restricts the user. Not everyone will want to get a lock on their old funds, even for the getting an airdrop. Perhaps you should only block an airdrop amount, not all user funds.
-
Owner can mint any amount of token for any address. link
-
It is possible to double withdrawal attack. More details here
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
There are some dangerous vulnerabilities were discovered here.