BRICS smart contract security audit report performed by Callisto Security Audit Department
Commit: c203cc42f2c683269ad88249a658e996943cc266
In total, 1 issues were reported, including:
-
0 critical severity issues.
-
0 high severity issues.
-
1 medium severity issues.
-
0 low severity issues.
In total, 6 notes were reported, including:
- 5 minor observations.
- 1 owner privileges.
According to the EIP-20 specification, the transfer
, transferFrom
, approve
functions should return boolean. This vulnerability may lead to incorrect operation with other contracts.
Set the appropriate return values and types for the transfer
, transferFrom
, approve
functions.
Detect missing events for critical access control parameters.
Emit an event for critical parameter changes.
Detect missing zero address validation.
Check that the address is not zero.
According to the EIP-20 specification, the length of the decimals
variable should be uin8
.
It is recommended to change the length of the decimals
variable to uint8
.
BlackList
- The
addBlackList
function restricts token transfers for the user. - The
destroyBlackFunds
function resets the user's account to zero.
Pausable
- The
pause
function allows the owner to stop thetransfer
andtransferFrom
operations.
BRICSChainToken
- The
deprecate
function allows the owner to change the address of the token at any time. - The
issue
,mint
,mintTo
functions allow the owner to issue an unlimited number of tokens. - The
redeem
function allows the owner to burn tokens, but no more thanbalances[owner]
. - The
setParams
function allows the owner to changebasisPointsRate
andmaximumFee
, but not more than 20 and 50 respectively. - The
recoverTokens
function allows the owner to withdraw tokens after an upgrade.
Since the owner has unlimited rights to do everything, ownership must be given to a contract with multiple signatures.
Unorganized and non-standardized docstrings.
Contracts in the code base have incomplete docstring detailing the status and functionality of the contract. This hinders reviewers' understanding of the code's intention, which is fundamental to correctly assessing security and correctness. Additionally, detailed docstrings improve readability and ease maintenance. They should explicitly explain the purpose or intention of the functions, the scenarios under which they can fail, the roles allowed to call them, the values returned, and the events emitted.
Consider thoroughly documenting all functions (and their parameters). Functions, that are implementing sensitive functionality should be documented as well. When writing docstrings, consider following the Ethereum Natural Specification Format (NatSpec).
It is recommended to change the length of the variables basisPointsRate
and maximumFee
to uin8
, because their length will not be greater than 20 and 50 respectively.