Skip to content

Instantly share code, notes, and snippets.

@yuriy77k

yuriy77k/ETH_travel_audit_report.md Secret

Forked from RideSolo/ETH_travel_audit_report.md
Created January 2, 2019 12:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yuriy77k/011b0d2de02fd6059a239fb4542e84c7 to your computer and use it in GitHub Desktop.
Save yuriy77k/011b0d2de02fd6059a239fb4542e84c7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ETH_travel_audit_report.md

Travel Token Audit Report.

1. Summary

This document is a security audit report performed by RideSolo, where Travel Token has been reviewed.

2. In scope

  • travel.sol github commit hash 565fd5f7ae42de2c5647fb89e8b0406483bc77b9.

3. Findings

2 issues were reported:

  • 1 high severity issue.
  • 1 low severity issue.

3.1. Stages GAP Exploit

Severity: HIGH

Description

Between every end of a stage and beginning of another stage there is a 24 hour gap where currentStage will return 0 which will be the presale 50% bonus as defined in _bonuses state varibale, any attacker that exploit this will get that bonus.

Code snippet

https://github.com/travelvee/TravelToken/blob/master/travel.sol#L126#L128

https://github.com/travelvee/TravelToken/blob/master/travel.sol#L253#l259

https://github.com/travelvee/TravelToken/blob/master/travel.sol#L283

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here
  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

4. Conclusion

The audited can be exploited to get tokens with high bonus even in advanced stages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment