Bills of exchange factory security audit report

ETH_BillsOfExchangeFactory_report.md

Bills of exchange factory security audit report

Summary

This is the report from a security audit performed on Bills of exchange factory by gorbunovperm.

'Bills Of Exchange Factory' is a smart contracts based service that allows user to draw electronic bills or exchange.

https://cryptonomica.net/bills-of-exchange/

In scope

1. BillsOfExchangeFactory.sol

Findings

In total, 3 issues were reported including:

• 0 critical severity issue.

• 0 high severity issue.

• 1 medium severity issues.

• 2 low severity issues.

• 0 minor observations.

Security issues

1. Known vulnerabilities of ERC-20 token

Severity: low

Description

• It is possible to double withdrawal attack. More details here

• Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

2. ERC20 Compliance: event missing

Severity: low

Code snippet

• initToken(), line 200

Description

According to ERC20 standard, when initializing a token contract if any token value is set to any given address a Transfer event should be emitted. An event isn't emitted when assigning the initial supply to the msg.sender.

3. Any admin can take all the power

Severity: medium

Code snippet

• removeAdmin(), line 487

Description

Any admin can remove the contract creator from admin list. Together with the ability to change the withdrawal address by admin, this can be quite dangerous.

Conclusion

There are some vulnerabilities were discovered in these contracts.