Skip to content

Instantly share code, notes, and snippets.

@yuriy77k
Forked from RideSolo/ETH_VCP_report.md
Created May 24, 2019 08:15
Show Gist options
  • Save yuriy77k/2ccffd005f727f172e6b879ab9565f05 to your computer and use it in GitHub Desktop.
Save yuriy77k/2ccffd005f727f172e6b879ab9565f05 to your computer and use it in GitHub Desktop.

VPC Token Audit Report.

1. Summary

This document is a security audit report performed by RideSolo, where VCP Token has been reviewed.

Symbol      : VCP
Name        : VCP Coin
Total supply: 1,000,000
Decimals    : 18 
Standard    : ERC20

2. In scope

3. Findings

2 issues were reported including:

  • 2 low severity issues.

3.1. Transfer to address(0)

Severity: low

Description

Token transfers to address(0) are allowed and they are used as basic burn mechanism, however users might by mistake send tokens to 0x0 adderss and lose their tokens.

Code snippet

    function totalSupply() public constant returns (uint) {
        return _totalSupply  - balances[address(0)];
    }
    function transfer(address to, uint tokens) public returns (bool success) {
        balances[msg.sender] = safeSub(balances[msg.sender], tokens);
        balances[to] = safeAdd(balances[to], tokens);
        emit Transfer(msg.sender, to, tokens);
        return true;
    }
    function transferFrom(address from, address to, uint tokens) public returns (bool success) {
        balances[from] = safeSub(balances[from], tokens);
        allowed[from][msg.sender] = safeSub(allowed[from][msg.sender], tokens);
        balances[to] = safeAdd(balances[to], tokens);
        emit Transfer(from, to, tokens);
        return true;
    }

Recommendation

Do not allow transfers to 0x0 addresss and implement a burn function for better event handling and to avoiding token loss.

3.2. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here
  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

4. Conclusion

The audite contract is safe for deployement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment