Skip to content

Instantly share code, notes, and snippets.

@oipkasec

oipkasec/BRICS.md Secret

Last active September 25, 2023 12:47
Show Gist options
  • Save oipkasec/7cbbce438022869fbc1177851388e7ac to your computer and use it in GitHub Desktop.
Save oipkasec/7cbbce438022869fbc1177851388e7ac to your computer and use it in GitHub Desktop.
Download ZIP
Raw
BRICS.md

BRICS Security Audit Report

1. Summary

BRICS smart contract security audit report performed by Callisto Security Audit Department

2. In scope

Commit: c203cc42f2c683269ad88249a658e996943cc266

3. Findings

In total, 1 issues were reported, including:

  • 0 critical severity issues.

  • 0 high severity issues.

  • 1 medium severity issues.

  • 0 low severity issues.

In total, 6 notes were reported, including:

  • 5 minor observations.
  • 1 owner privileges.

3.1. The transfer, transferFrom, approve functions do not return boolean.

Severity: medium

Description

According to the EIP-20 specification, the transfer, transferFrom, approve functions should return boolean. This vulnerability may lead to incorrect operation with other contracts.

Recommendation

Set the appropriate return values and types for the transfer, transferFrom, approve functions.

3.2. Missing events access control.

Severity: minor observation

Description

Detect missing events for critical access control parameters.

Code Snippet

Recommendation

Emit an event for critical parameter changes.

3.3. Missing zero address validation.

Severity: minor observation

Description

Detect missing zero address validation.

Code Snippet

Recommendation

Check that the address is not zero.

3.4. Incorrect length of the decimals variable.

Severity: minor observation

Description

According to the EIP-20 specification, the length of the decimals variable should be uin8.

Code Snippet

Recommendation

It is recommended to change the length of the decimals variable to uint8.

3.5. Owner Privileges.

Severity: owner privileges

Description

BlackList

  1. The addBlackList function restricts token transfers for the user.
  2. The destroyBlackFunds function resets the user's account to zero.

Pausable

  1. The pause function allows the owner to stop the transfer and transferFrom operations.

BRICSChainToken

  1. The deprecate function allows the owner to change the address of the token at any time.
  2. The issue, mint, mintTo functions allow the owner to issue an unlimited number of tokens.
  3. The redeem function allows the owner to burn tokens, but no more than balances[owner].
  4. The setParams function allows the owner to change basisPointsRate and maximumFee, but not more than 20 and 50 respectively.
  5. The recoverTokens function allows the owner to withdraw tokens after an upgrade.

Recommendation

Since the owner has unlimited rights to do everything, ownership must be given to a contract with multiple signatures.

3.6. Follow good coding practice.

Severity: minor observation

Description

Unorganized and non-standardized docstrings.

Contracts in the code base have incomplete docstring detailing the status and functionality of the contract. This hinders reviewers' understanding of the code's intention, which is fundamental to correctly assessing security and correctness. Additionally, detailed docstrings improve readability and ease maintenance. They should explicitly explain the purpose or intention of the functions, the scenarios under which they can fail, the roles allowed to call them, the values returned, and the events emitted.

Recommendation

Consider thoroughly documenting all functions (and their parameters). Functions, that are implementing sensitive functionality should be documented as well. When writing docstrings, consider following the Ethereum Natural Specification Format (NatSpec).

3.7. Optimisation of variables.

Severity: minor observation

Description

It is recommended to change the length of the variables basisPointsRate and maximumFee to uin8, because their length will not be greater than 20 and 50 respectively.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment