This is the report from a security audit performed on axmtoken by gorbunovperm.
To provide cross border payments for people of NorthEast India.
Commit hash: 8ac50f805184bade0fb9470aa170e455a254e6f8
In total, 5 issues were reported including:
-
0 critical severity issue.
-
1 high severity issue.
-
3 medium severity issues.
-
1 low severity issues.
-
0 minor observations.
-
It is possible to double withdrawal attack. More details here
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Add into a function transfer(address _to, ... ) following code:
require( _to != address(this) );Transfer event should be emitted only for tokens transfers. But in this case it will be emitted when the transfer of ether. dApps will interpret this as a token transfer and this can lead to loss of funds or incorrect application behavior.
After the end of ICO, remaining tokens will be send (minted) to the owner. But at the same time the code misses the increase of the totalSupply_. Also Transfer event is missed.
Following the general adopted ICO rules the remaining supply should be burned and not sent to a different address.
- After each purchase of tokens, the owner receives the ether. He can use these funds to re-purchase tokens.
- The owner has 50% of the tokens. It could be dangerous for investors. Especially in combination of paragraph 1.
Funds must be received by the owner only after the ICO finalization.
There are some vulnerabilities were discovered in these contracts.