This document is a security audit report performed by danbogd, where Asure Token has been reviewed.
Сommit hash 50cfbe81c88ba9be85419cc191298872435c4615.
- TestAsureBonusesCrowdsale.sol.
- TestToken.so.
- AsureBonusesCrowdsale.sol.
- AsureBounty.sol.
- AsureCrowdsale.sol.
- AsureCrowdsaleDeployer.sol.
- AsureToken.sol.
- Migrations.sol.
In total, 3 issues were reported including:
- 1 medium severity issues
- 1 owner privileges
- 1 low severity issues.
No critical security issues were found.
-
According to the whitepaper, specified parameters of soft cup and hard cap, but in code we can't see these functions.
-
According to the [whitepaper] the Asure Team and Advisors will receive their tokens over two years afterthe start of the second phase, but in constructor of AsureCrowdsaleDeployer contract we can't see the Teams and Advisor vesting parameters.
-
According to the [whitepaper] the minimum Contribution is $ 100 (ETH equivalent), but we can't see this parameter in code.
The contract owner allow himself to:
-
update bonus rate, bonus time, croudsale time and default rate before crowdsale opened.
-
withdraw ETH and tokens funds before the end of sales.
The contract is managed manually by the owner which is not good for investors.
-
It is possible to double withdrawal attack. More details here.
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add into a function transfer(address _to, ... ) following code:
require( _to != address(this) );
The review did not show any critical issues, some of medium and low severity issues were found.