This is the report from a security audit performed on VANMofficial by gorbunovperm.
It's main purpose was/is...
• the creation of the VANM token (ERC20)
• handling our token sale in two phases including balance checks, overflow and whitelisting.
Commit hash: 1c0995c827b200c76e90efe3a809096a71251581
In total, 5 issues were reported including:
-
0 high severity issue.
-
1 medium severity issues.
-
4 low severity issues.
-
0 minor observations.
-
It is possible to double withdrawal attack. More details here
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
In the setPresaleAddress and setCrowdsaleAddress function, the inupt address is not checked for a null value and the funds can be transferred to a 0x0-address.
balances[_presaleAddress] = balances[_presaleAddress].add(presaleSupply);In the constructor is the event of the transfer of funds to address platformAddress, but there is no event on the transfer of funds to address incentivisingAddress.
balances[platformAddress] = platformSupply;
emit Transfer(0x0, platformAddress, platformSupply);
balances[incentivisingAddress] = incentivisingSupply;In functions transferFromIncentivising, transferFromPresale and transferFromCrowdsale the Transfer event is called but as argument from is used 0x0 instead address of corresponing contract. This can be misleading.
Surely the owner is not interested in cheating. But as a fact, it should be said that the code allows the owner to do this.
It is possible to set as crowdsaleAddress a contract-intermediary with which owner can control the funds. In this case the original crowdsale contract will work as it should but also the owner will be able to control the funds. And the same issue with the setPresaleAddress() feature.
For investors. Be vigilant and check the addresses specified in the contract.
No major vulnerabilities were found here.