Travelvee smart contract security audit report performed by Callisto Security Audit Department
- travel.sol github commit hash 565fd5f7ae42de2c5647fb89e8b0406483bc77b9.
In total, 8 issues were reported including:
-
1 high severity issues.
-
1 medium severity issues.
-
4 low severity issues.
-
2 minor observation.
No critical security issues were found.
Between every end of a stage and beginning of another stage there is a 24 hour gap where currentStage
will return 0 which will be the presale 50% bonus as defined in _bonuses
state variable, any attacker that exploit this will get that bonus.
https://github.com/travelvee/TravelToken/blob/master/travel.sol#L126#L128
https://github.com/travelvee/TravelToken/blob/master/travel.sol#L253#l259
https://github.com/travelvee/TravelToken/blob/master/travel.sol#L283
In the function buyTokens
the variable _soldTokens
contain tokens amount without bonuses. But function _processPurchase
uses total
tokens with bonuses and in following steps it compares with _soldTokens
. It may cause oversold of tokens.
Add to _soldTokens
tokens with bonuses. For example:
_soldTokens = _soldTokens.add(total);
The contract owner allow himself to:
- change the price of the tokens at any moment in or after the presale phase.
- forward all fonds
- burn tokens or not after crowdsale, depends on the owner's wish
This contract is managed manually by the owner, without softcap and withdraw functions which is not good for investors.
There is not restrictions of the amount airdrop tokens in the function sendBatchCS
. The owner can transfer more then 2000000 tokens.
Beginning and ending dates in constructor are not correct (start from 14 Oct 2018).
Update the beginning and ending dates of crowdsale.
- It is possible to double withdrawal attack. More details here.
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Internal function _burnFrom is not used.
Extra checking in 171, 187-187 lines. SafeMath library checks it anyway.
Those lines may be deleted.
The audited smart contract can be exploited to get tokens with high bonus even in advanced stages. Also, some other vulnerabilities were detected. We highly recommend completing bugs bounty program before use.
https://gist.github.com/yuriy77k/011b0d2de02fd6059a239fb4542e84c7
https://gist.github.com/yuriy77k/5c4fe3e89449937da2c26b8b48a129f5
https://gist.github.com/yuriy77k/5c6466be51d69e832aa50b79bfe08ced