This is the report from a security audit performed on Call by MrCrambo.
The audit focused primarily on the security of Call smart contracts.
- interfaces/IERC664.sol
- interfaces/IERC777.sol
- interfaces/IERC777TokensRecipient.sol
- interfaces/IERC664TokensSender.sol
- misc/ERC664Balances.sol
- misc/SafeGuard.sol
- test/EIP20.sol
- test/Test.sol
- test/TestTokensRecipient.sol
- test/TestTokensSender.sol
- token/ERC777.sol
- token/ERC777ERC20Compat.sol
- token/ERC777RemoteBridge.sol
- CALL.sol
- CStore.sol
In total, 7 issues were reported including:
-
0 high severity issues.
-
2 medium severity issues.
-
3 owner privilegies issues.
-
2 low severity issues.
-
0 notes.
There are no zero address checking in functions setModule
, incBalance
, decBalance
in misc/ERC664Balances.sol
contract, in functions transfer
and transferFrom
in test/EIP20.sol
, .
- Owner can increase and decrease any users balances in
misc/ERC664Balances.sol
contract. - Owner can change balance database in line 32 at
CStore.sol
contract, that could be risky for investors. - Owner can enable and disable
ERC20Token
.
Owner can increase totalSupply
as much as he wants and it could be risky to investors in misc/ERC664Balances.sol
contract.
Add cap that should be equal to max total supply and check, that your current totalSupply
is less than this cap.
Owner can decrease totalSupply
as much, that totalSupply
will be less than all tokens hold by users in misc/ERC664Balances.sol
contract.
Add checking, that decreased totalSupply
will be greater than tokens hold by users.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. More details here
Add into a function transfer(address _to, ... )
following code:
require( _to != address(this) );
Smart contract contains medium severity issues.