Skip to content

Instantly share code, notes, and snippets.

Created March 28, 2021 14:28
Show Gist options
  • Save yuriy77k/36b16c93cd3c3a3bdf52cc79005bce07 to your computer and use it in GitHub Desktop.
Save yuriy77k/36b16c93cd3c3a3bdf52cc79005bce07 to your computer and use it in GitHub Desktop.
Dirham Token Security Audit Report

Dirham Token Security Audit Report

1. Summary

@openzeppelin/contracts-ethereum-package Token smart contract security audit report performed by Callisto Security Audit Department

Dirham is a fiat collateralized stablecoin backed by AED. It is the native to Dirham crypto where bonds are introduced to blockchain for the first time ever. Dirham holders earn 4% interest every week. Paying interest done by calling the rebase function in smart contract.

2. In scope

Commit e4a9dc34f9020e7733a289b9b9b4a3d74daee1a1

2.1. Excluded

Openzeppelin library:

3. Findings

In total, 5 issues were reported including:

  • 1 low severity issue.

  • 4 owner privileges.

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low


  1. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.


Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

  1. ERC20 is a widely used standard across the Ethereum ecosystem. It is reasonable to assume that ERC20 tokens could be "accidentally" deposited to this contract even though it is not intentional.

Every user on the entire Ethereum ecosystem can send ERC20 tokens to this contract and he will have no ability to extract it back unless there is a special "ERC20-rescue" function implemented in your contract. It is advised to implement this function.

Example: here is BAT contract address. As you can see the contract itself holds $497,000 worth of different ERC20 tokens - all these tokens are permanently "stuck" inside the contract and therefore uselessly lost.


A simple "ERC20-rescue" function can solve the problem.

interface IERC20 {
  function transfer(address _to, unit _amount);

function rescueERC20(address _token, uint256 _amount) external onlyOwner {
    IERC20(_token).transfer(owner(), _amount);

3.2. Owner privileges

Severity: owner privileges


  1. Owner can emit fake transfer events, this could be risky if exchanges will work with this token and evaluate transfers using Transfer event.
  2. User with MINTER_ROLE can mint any amount of tokens.
  3. User with REBASER_ROLE can set rebase factor to any value without restriction and can call function rebase() as often as he wants. In this case the smart contract can't guarantee that Dirham holders earn 4% interest every week as was said in description.
  4. Owner has DEFAULT_ADMIN_ROLE and can set/remove MINTER_ROLE and REBASER_ROLE to any address.

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

5. Revealing audit reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment