LUTOKEN smart contract security audit report performed by Callisto Security Audit Department
Smart contract Token ERC20
Commit hash: efdf556013c20b225ae31261ef95d8911e0b37fe
Notice: UpgradeAgent.upgradeFrom() method is not audited because the lack of method code here.
In total, 6 issues were reported including:
-
3 low severity issues.
-
3 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).
No critical security issues were found.
-
It is possible to double withdrawal attack. More details here.
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add the following code to the transfer(_to address, ...) function:
require( _to != address(this) );
According to ERC20 standard, when initializing a token contract if any token value is set to any given address a Transfer event should be emitted.
An event isn't emitted when assigning the initial supply to the msg.sender.
- Owner can
pausetransfers any time he wants. - Owner can
freezeat any time he wants. - Owner can upgrade contract and implement any logic in the new contract. And even if the new contract will be audited, at any time possible to change the address of the new contract again to not audited and insecure.
- There is no zero address checking in
constructor. - It is possible to remain out of contract control by accidentally calling
setSalefunction without parameter.
The audited smart contract can be deployed. Only low severity issues were found during the audit.
https://gist.github.com/yuriy77k/0c0b5327bfb28a5f061e3773af2b44d0
https://gist.github.com/yuriy77k/b80c07a36e5c276351c89c3bb535aab7
https://gist.github.com/yuriy77k/c34b18d43ab2d60a02f195061ae1a4d5