This document is a security audit report performed by danbogd, where Bills of exchange factory has been reviewed.
Сommit hash .
In total, 8 issues were reported including:
- 1 medium severity issues
- 3 low severity issues
- 3 owner privileges (ability of owner to manipulate contract, may be risky for investors)..
- 1 notes.
No critical security issues were found.
While the specification defined the number of token decimals to be 18, no decimals were found to be used. This can cause problems when interacting with other smart contracts as tokens with 0 decimals can cause rounding errors. For example, many exchanges charge a small fee based on the tokens exchanged. As such, using no decimals will either make it impossible to list the token on these exchanges or it will result in having expensive fees compared to other tokens.
Line 153.
The reviewed token contract is not ERC223 fully compliant.
-
The function transfer(address _to, uint _value, bytes _data) call tokenFallback external function on the receiver contract without adding the value to balances[_to]. The original implementation adds the token value to the balance before making the external call here
-
ERC223 does not implement an approve/transferFrom mechanism.
-
It is possible to double withdrawal attack. More details here.
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add into a function transfer(address _to, ... )
following code:
require( _to != address(this) );
In this functions there are no checking for zero address.
Lines: 430, 451.
According to ERC20 standard, when initializing a token contract if any token value is set to any given address a transfer event should be emitted. An event isn't emitted when assigning the initial supply to the msg.sender.
Line 200.
Contract owner allow himself to:
-
Owner can upgrade contract and implement any logic in the new contract. And even if the new contract will be audited, at any time possible to change the address of the new contract again to not audited and insecure. (line 430)
-
fix or not fix withdraw address depends from owner.(line 541)
-
change price (line 614)
The audited smart contract is not safe to deploy.