AMO Project smart contract security audit report performed by Callisto Security Audit Department
- AMOCoin.sol github commit hash 51b441202ba09186d2aec530a88f9e898205027c.
- AMOCoinSale.sol github commit hash 390f49f16827d272ce19ddd8a90757c45a974ff0.
In total, 7 issues were reported including:
-
1 medium severity issues.
-
2 low severity issues.
-
2 notes.
-
2 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).
No critical security issues were found.
When allocateTokens
is called the tokenAmount
to be transferred to to
address is not subtracted from allocationList[to].allowedAmount
, meaning that if the function is called again by the owner a higher amount than allocationList[to].allowedAmount
can be transferred to the to
.
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoinSale.sol#L463#L476
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoinSale.sol#L400#L407
If Multiple allocations are made to user
address using addToAllocationList
function member of AMOCoinSale
, the amount
allocated is not cumulated in allocationList[user].allowedAmount
.
Please note that addToAllocationList
is meant to be used when EarlyInvestment
is set, meaning that real payment are done offchain and this can lead to major errors from the team since this function is only used by the owner.
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoinSale.sol#L400#L407
- AMO token owner privileges:
- Enable/Disable transfers/burn/approval for all tokens holders (
onlyWhenTransferAllowed
,enableTransfer
,disableTransfer
) (check here). - Selectively freeze/unfreeze tokens by addresses (
onlyAllowedAmount
,lockAccount
,unlockAccount
) (check here).
- AMO sale owner privileges:
- Token destinated to be sold through the crowdsale contract are approved and not transferred and locked in the sale contract, meaning that the owner will still be able to handle them without backing them up by ether (check here).
- Every round (EarlyInvestment, PreSale,CrowdSale) has three stages (SetUp,Started,Ended), the sale contract logic do not allow to go to a previous stage of a round but a round can be selected once the the previous round has ended using
setUpSale
, meaning that the owner can reset the round even to a previous one. owner should not be able to reselect round insetUpSale
butround
has to be incremented directly inside the function, (check here). - A sale round can be ended by the owner at any moment, (check here.
addToAllocationList
function member ofAMOCoinSale
add tokens amount to mapping for a dedicated users since it is allowed only whenEarlyInvestment
round then we can guess that the token sale was done offchain through fiat or any other way. HoweverremoveFromAllocationList
can also cancel the allowed tokens before thatallocateTokens
is called and the tokens are transferred to the user address. The main issue here is when is the fiat or crypto payment is done and why an address can be removed knowing that a user has maybe didn't get his payment back.- Owner can change minContribution, maxContribution, rate and hardCap for each sale round before starting sale.
There is possibility of setting zero address as admin in function AMOCoin
and as contract address in function setTokenSaleAmount
.
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoin.sol#L85
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoin.sol#L101
The modifier onlyValidDestination
from AMOCoin
contract will fail the function in case of transferring funds to sale address. For example in function setTokenSaleAmount
there are approving funds for tokenSaleAddr
. And after it should be transferred from to this address, but transferFrom
function checks with using onlyValidDestination(to)
modifier.
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoin.sol#L67
https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoin.sol#L101
It is possible to double withdrawal attack. More details here.
The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.
https://gist.github.com/yuriy77k/2fc552fd10cb2f77139068f29cfdedb5
https://gist.github.com/yuriy77k/618cb51beedeebb119dd37991a77238f
https://gist.github.com/yuriy77k/23b820cc0dbcced4d173dcbd105b9464