Skip to content

Instantly share code, notes, and snippets.

@yuriy77k
Forked from gorbunovperm/ETH_LUTOKEN_report.md
Created May 20, 2019 10:35
Show Gist options
  • Save yuriy77k/0c0b5327bfb28a5f061e3773af2b44d0 to your computer and use it in GitHub Desktop.
Save yuriy77k/0c0b5327bfb28a5f061e3773af2b44d0 to your computer and use it in GitHub Desktop.
LUTOKEN security audit report

LUTOKEN security audit report

Summary

This is the report from a security audit performed on LUTOKEN by gorbunovperm.

Smart contract Token ERC20

https://cinemadrom.com/

In scope

Commit hash: efdf556013c20b225ae31261ef95d8911e0b37fe

  1. LUTOKEN.sol

Notice: UpgradeAgent.upgradeFrom() method is not audited because the lack of method code here.

Findings

In total, 4 issues were reported including:

  • 0 critical severity issue.

  • 0 high severity issue.

  • 2 medium severity issues.

  • 2 low severity issues.

  • 0 minor observations.

Security issues

1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  • It is possible to double withdrawal attack. More details here

  • Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

2. Owner's Privileges

Severity: medium

Code snippet

Description

The contract owner allowed to pause functions of contract (transfer, transferFrom). And the same with freezing mechanism.

3. The upgrading is not secure process for investors

Severity: medium

Code snippet

Description

The owners can implement any logic in the new contract. And even if the new contract will be audited, at any time possible to change the address of the new contract again to unaudited and insecure.

4. ERC20 Compliance: event missing

Severity: low

Code snippet

Description

According to ERC20 standard, when initializing a token contract if any token value is set to any given address a Transfer event should be emitted. An event isn't emitted when assigning the initial supply to the msg.sender.

Conclusion

There are some vulnerabilities were discovered in these contracts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment