Skip to content

Instantly share code, notes, and snippets.

@yuriy77k
Forked from gorbunovperm/ETH_GenesisVision_report.md
Created May 21, 2019 12:26
Show Gist options
  • Save yuriy77k/113a182dbe2742936d548b8217d59482 to your computer and use it in GitHub Desktop.
Save yuriy77k/113a182dbe2742936d548b8217d59482 to your computer and use it in GitHub Desktop.
Genesis Vision security audit report

Genesis Vision security audit report

Summary

This is the report from a security audit performed on Genesis Vision by gorbunovperm.

Genesis Vision is a decentralized asset management platform built on blockchain technology.

https://genesis.vision/

In scope

Commit hash: 4eca90915580f209e86db8270c4f53d6e645712b

  1. TradingHistoryStorage.sol
  2. Migrations.sol
  3. ManagerToken.sol
  4. GenesisVisionPlatform.sol
  5. libs/Models.sol

Findings

In total, 4 issues were reported including:

  • 0 critical severity issue.

  • 0 high severity issue.

  • 1 medium severity issues.

  • 3 low severity issues.

  • 0 minor observations.

Security issues

1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  • It is possible to double withdrawal attack. More details here

  • Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

2. ERC20 Compliance: event missing

Severity: low

Code snippet

Description

According to ERC20 standard, when initializing a token contract if any token value is set to any given address a Transfer event should be emitted. An event isn't emitted when assigning the initial supply to the msg.sender.

3. Incorrect magnitude of initial supply

Severity: medium

Code snippet

Description

In the constructor, the initial supply is distributed in the amount of just 0.000000000000001000 tokens. But don't use decimals for amount.

Recommendation

It should be like:

    totalSupply = startTotalSupply * 10**decimals;
    balances[gvPlatform] = startTotalSupply * 10**decimals;

4. The purpose of setStartTotalSupply function

Severity: low

Code snippet

Description

The setStartTotalSupply function is not necessary because the startTotalSupply variable is used only once in the constructor. Changing the value of this variable can be misleading for process participants.

Conclusion

There are some vulnerabilities were discovered in these contracts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment