This document is a security audit report performed by RideSolo, where ZRX Token has been reviewed.
Token desription:
Symbol : ZRX
Name : 0x Protocol Token
Total supply: 1,000,000,000
Decimals : 18
Standard : ERC20
- ZRXToken.sol github gist 9e3f16ce8289f6fafa64c9fee13dfd1f.
3 issues were reported:
- 1 medium severity issue.
- 2 low severity issues.
- Following EIP-20 specifications
transfer
should throw when themsg.sender
doesn't have enough fund. - Same as previously following the specifications
transferFrom
should throw and not return false if the_from
address doesn't have enough of fund or if the allowed value isn't enough to cover the transaction_value
.
https://gist.github.com/yuriy77k/9e3f16ce8289f6fafa64c9fee13dfd1f#file-zrxtoken-sol-L60
https://gist.github.com/yuriy77k/9e3f16ce8289f6fafa64c9fee13dfd1f#file-zrxtoken-sol-L70
Even if the likelyhood of such issue to represent a risk for users is very low, the reimplemented transferFrom
with unlimited allowance to an address is not complaint with ERC-20 standard. Users should be aware of it.
https://gist.github.com/yuriy77k/9e3f16ce8289f6fafa64c9fee13dfd1f#file-zrxtoken-sol-L108
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Add the following code to the transfer(_to address, ...)
function:
require( _to != address(this) );
The audited code has some ERC20 compliance issues.