Skip to content

Instantly share code, notes, and snippets.

@greywolf12
Created June 11, 2023 17:02
Show Gist options
  • Save greywolf12/de2f1d18cef1025a7fb2cf5643807da3 to your computer and use it in GitHub Desktop.
Save greywolf12/de2f1d18cef1025a7fb2cf5643807da3 to your computer and use it in GitHub Desktop.
Enduracoin Security Audit Report

Enduracoin Security Audit Report

1. Summary

Enduracoin smart contract security audit report performed by GreyWolf

2. In scope

Commit 9afcc04e174290de0471137dba3eae449b33e869

  • EnduracoinToken.sol
  • EnduracoinValue.sol

3. Findings

In total, 4 issues were reported, including:

  • 0 high severity issues.

  • 1 medium severity issues.

  • 3 low severity issue.

In total, 4 notes were reported, including:

  • 1 notes.

  • 3 owner privileges.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

Lack of transaction handling mechanism issue. WARNING! This is a very common issue, and it already caused millions of dollars in losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Owner privileges

Severity: owner privileges

Description

  1. 50 Billion Enduracoin will be pre-minted to the owner's wallet. If tokens are burnt, the owner has the right to mint new tokens up to 50 Billion in total supply.
  2. The owner has the right to pause/unpause Enduracoin token contract functions: transfer(), transferFrom(), mint(), burn(), burnFrom().
  3. The owner can set any value in the EnduracoinValue contract. So the currentValue in the EnduracoinValue contract does not get a real market value of Enduracoin in a decentralized way.

3.3. Getter functions in EnduracoinValue contract with onlyOwner modifier

Severity: note

Description

All getter functions in the EnduracoinValue contract have an onlyOwner modifier, which will not help keep values private. Since these are view functions, they don't require the sender's signature to call them. Anybody can use the owner's address to call those functions. Moreover, the value of any variable (even private) can be read from the blockchain.

Code snipped

Recommendation

Since the onlyOwner modifier doesn't add security for view functions, better to remove it so as not to be misled by apparent protection.

3.4. getCurrentValue may return the same value for the current and next day

Severity: low

Description

In the function getCurrentValue() if dailyValueGain was changed today, it will return value baseValue + dailyValueGain, but on the next day, when ((block.timestamp - timestampOfLastVGAChange) / 86400) = 1 it returns the same value baseValue + dailyValueGain.

Code snipped

Recommendation

This function should contain only the following:

return convertToString(baseValue + dailyValueGain * ((block.timestamp - timestampOfLastVGAChange) / 86400));

3.5. timestampOfLastVGAChange never updates to the actual timestamp

Severity: medium

Description

The function setDailyValueGainAdjustment() should update timestampOfLastVGAChange accordingly block.timestamp but it just update it with the static value timestampOfLastVGAChange = ((upTime * 86400) + startDate);, where upTime and startDate are static and set on contract deployment. It will cause incorrect calculation of currentValue

Code snipped

Recommendation

Use the following:

timestampOfLastVGAChange = ((block.timestamp - startDate) / 86400) * 86400) + startDate;

3.6. The events EnduracoinDailyValueGainChanged and EnduracoinBaseValueChanged contain duplicated values

Severity: low

Description

The events EnduracoinDailyValueGainChanged and EnduracoinBaseValueChanged should contain previous and new value of changed variables. But _dailyValueGainAdjustment, dailyValueGain is equal because event emits after updating of dailyValueGain. The same is for _baseValueAdjustment, baseValue.

Also event EnduracoinBaseValueChanged contain variable timestampOfLastVGAChange which does not change when function setBaseValueAdjustment() is called.

Code snipped

Recommendation

Emit events EnduracoinDailyValueGainChanged and EnduracoinBaseValueChanged before updateValue() function call.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment