This is the report from a security audit performed on LUTOKEN by gorbunovperm.
Smart contract Token ERC20
Commit hash: efdf556013c20b225ae31261ef95d8911e0b37fe
Notice: UpgradeAgent.upgradeFrom()
method is not audited because the lack of method code here.
In total, 4 issues were reported including:
-
0 critical severity issue.
-
0 high severity issue.
-
2 medium severity issues.
-
2 low severity issues.
-
0 minor observations.
-
It is possible to double withdrawal attack. More details here
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Add into a function transfer(address _to, ... )
following code:
require( _to != address(this) );
The contract owner allowed to pause functions of contract (transfer
, transferFrom
).
And the same with freezing mechanism.
The owners can implement any logic in the new contract. And even if the new contract will be audited, at any time possible to change the address of the new contract again to unaudited and insecure.
According to ERC20 standard, when initializing a token contract if any token value is set to any given address a Transfer
event should be emitted.
An event isn't emitted when assigning the initial supply to the msg.sender.
There are some vulnerabilities were discovered in these contracts.