This document is a security audit report performed by RideSolo, where ONEX has been reviewed.
- ONEX.sol github commit hash 63b02beee3da39cea86c84703047b5d757e2f756.
3 issues were reported including:
- 2 medium severity issue.
- 1 low severity issue.
When executing mint function, getCoinAge function get called to return the coin*dayholding of a user, transaction execution can throw for block gas limit reached.
If a user receives many transaction, after a certain number the block gas limit can be reached when calling getCoinAge. therefore the users will not be able to receive his reward.
The for loop uses iterate over transferIns which is causing this issue.
https://github.com/RideSolo/ONEX-Network/blob/master/contracts/ONEX.sol#L241#L252
If a token transfer occurs and a staker didn't claim his reward by calling transfer function using to address equal to his own, the deposit history transferIns will be deleted.
Following onex description "ONEX provides two methods to trigger ONEX staking: 1.Sending a transaction to your own address with any amount of ONEX. 2.Using MyEtherWallet.com or Mist or any other software that can interact with contracts to execute mint() function.", contract developers should inform the stakers that if they transfer tokens after the minimum staking period without claiming their stake will result in the loss of their reward.
Implementing a simple mechanism that allows the addition of the reward to the stakers account if they meet the requirement when transfering tokens to another address can be implemented easily.
https://github.com/RideSolo/ONEX-Network/blob/master/contracts/ONEX.sol#L150
https://github.com/RideSolo/ONEX-Network/blob/master/contracts/ONEX.sol#L169
Onex Token do not require the to address to be non null before transfer. Accidental token loss to address 0x0 can be applicable.
https://github.com/RideSolo/ONEX-Network/blob/master/contracts/ONEX.sol#L144
The audited contract is safe.