Enduracoin smart contract security audit report performed by GreyWolf
Commit 9afcc04e174290de0471137dba3eae449b33e869
- EnduracoinToken.sol
- EnduracoinValue.sol
In total, 4 issues were reported, including:
-
0 high severity issues.
-
1 medium severity issues.
-
3 low severity issue.
In total, 4 notes were reported, including:
-
1 notes.
-
3 owner privileges.
Lack of transaction handling mechanism issue. WARNING! This is a very common issue, and it already caused millions of dollars in losses for lots of token users! More details here.
Add the following code to the transfer(_to address, ...)
function:
require( _to != address(this) );
- 50 Billion Enduracoin will be pre-minted to the owner's wallet. If tokens are burnt, the owner has the right to mint new tokens up to 50 Billion in total supply.
- The owner has the right to pause/unpause Enduracoin token contract functions:
transfer()
,transferFrom()
,mint()
,burn()
,burnFrom()
. - The owner can set any value in the
EnduracoinValue
contract. So thecurrentValue
in theEnduracoinValue
contract does not get a real market value of Enduracoin in a decentralized way.
All getter functions in the EnduracoinValue
contract have an onlyOwner
modifier, which will not help keep values private. Since these are view functions, they don't require the sender's signature to call them. Anybody can use the owner's
address to call those functions. Moreover, the value of any variable (even private) can be read from the blockchain.
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L51
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L56
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L95
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L99
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L103
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L107
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L111
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L115
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L119
Since the onlyOwner
modifier doesn't add security for view
functions, better to remove it so as not to be misled by apparent protection.
In the function getCurrentValue()
if dailyValueGain
was changed today, it will return value baseValue + dailyValueGain
, but on the next day, when ((block.timestamp - timestampOfLastVGAChange) / 86400)
= 1 it returns the same value baseValue + dailyValueGain
.
This function should contain only the following:
return convertToString(baseValue + dailyValueGain * ((block.timestamp - timestampOfLastVGAChange) / 86400));
The function setDailyValueGainAdjustment()
should update timestampOfLastVGAChange
accordingly block.timestamp
but it just update it with the static value timestampOfLastVGAChange = ((upTime * 86400) + startDate);
, where upTime
and startDate
are static and set on contract deployment. It will cause incorrect calculation of currentValue
Use the following:
timestampOfLastVGAChange = ((block.timestamp - startDate) / 86400) * 86400) + startDate;
3.6. The events EnduracoinDailyValueGainChanged
and EnduracoinBaseValueChanged
contain duplicated values
The events EnduracoinDailyValueGainChanged
and EnduracoinBaseValueChanged
should contain previous and new value of changed variables.
But _dailyValueGainAdjustment, dailyValueGain
is equal because event emits after updating of dailyValueGain
. The same is for _baseValueAdjustment, baseValue
.
Also event EnduracoinBaseValueChanged
contain variable timestampOfLastVGAChange
which does not change when function setBaseValueAdjustment()
is called.
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L29
- https://github.com/CallistoSecurity/EnduracoinToken/blob/9afcc04e174290de0471137dba3eae449b33e869/EnduracoinValue.sol#L35
Emit events EnduracoinDailyValueGainChanged
and EnduracoinBaseValueChanged
before updateValue()
function call.
3.6. The events EnduracoinDailyValueGainChanged and EnduracoinBaseValueChanged contain duplicated values
It's
note
severity.