Skip to content

Instantly share code, notes, and snippets.

@gorbunovperm

gorbunovperm/ETH_Idex_report.md Secret

Created May 28, 2019 11:37
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save gorbunovperm/a91cb9eacd3dbc5f0b8f8df0923b2f85 to your computer and use it in GitHub Desktop.
Save gorbunovperm/a91cb9eacd3dbc5f0b8f8df0923b2f85 to your computer and use it in GitHub Desktop.
Download ZIP
Idex security audit report
Raw
ETH_Idex_report.md

Idex security audit report

Summary

This is the report from a security audit performed on Idex by gorbunovperm.

It is an Ethereum-driven decentralized exchange that supports Ethereum and ERC20 token trading pairs.

https://idex.market/

In scope

Commit hash: efdf556013c20b225ae31261ef95d8911e0b37fe

  1. DVIP.sol
  2. Exchange.sol
  3. ExchangeWhitelist.sol
  4. MyToken.sol
  5. lib/

Findings

In total, 5 issues were reported including:

  • 0 critical severity issue.

  • 0 high severity issue.

  • 0 medium severity issues.

  • 5 low severity issues.

  • 0 minor observations.

Security issues

1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  • It is possible to double withdrawal attack. More details here

  • Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

2. ERC20 Compliance: event missing

Severity: low

Code snippet

Description

According to ERC20 standard, when initializing a token contract if any token value is set to any given address a Transfer event should be emitted. An event isn't emitted when assigning the initial supply to the msg.sender.

3. Required check for an empty address

Severity: low

Code snippet

Description

It is possible to send tokens to 0x0 address by accidently.

4. ERC20 Complince: transfer function returns nothing

Severity: low

Code snippet

Description

Following the specification, this function should return true or false.

5. Incorrect Deposit event argument

Severity: low

Code snippet

Description

The deposit can be made both in tokens and ethers but in both cases Deposit event is emitted with amount(of tokens) parameter.

Recommendation

In case of deposit in ethers, the msg.value should be used instead amount parameter.

Conclusion

There are some vulnerabilities were discovered in these contracts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment