ETH_Asure_report.md

Asure Token Report.

1. Summary

This document is a security audit report performed by RideSolo, where Asure Token has been reviewed.

2. In scope

• Migrations.sol github commit hash d5e819c9e061be5ad9387582e7522b03b1abc539.
• AsureToken.sol github commit hash e252c5808a199a23ab71e5882dab279e5ffe4e25.
• AsureCrowdsaleDeployer.sol github commit hash cd24bac8af2db678f85bc0ad92a6fddd535525fd.
• AsureCrowdsale.sol github commit hash 445c6bba4e091929f3d25a09ffe1f6cc8c963185.
• AsureBounty.sol github commit hash c1a4957bf11a0694c81f63a7425d4e1128dbab91.
• AsureBonusesCrowdsale.sol github commit hash 213665e7e3a62ab2ab1d63d23a8f2649f37a53e7.
• TestAsureBonusesCrowdsale.sol github commit hash 213665e7e3a62ab2ab1d63d23a8f2649f37a53e7.
• TestToken.sol github commit hash 7d0791d35a51a15e81bf04f6e198beed7d408a75.
• TestToken.sol github commit hash 7d0791d35a51a15e81bf04f6e198beed7d408a75.

3. Findings

2 issues were reported:

• 2 low severity issues.

3.1. Array Size

Severity: low

Description

In drop function member of AsureBounty contract, recipients and values arrays length should be checked if they are the same length.

Code snippet

https://github.com/RideSolo/crowdsale/blob/master/packages/crowdsale/contracts/AsureBounty.sol#L16

3.2. Known vulnerabilities of ERC-20 token

Severity: low

Description

1. It is possible to double withdrawal attack. More details here
2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

Code snippet

https://github.com/RideSolo/crowdsale/blob/master/packages/crowdsale/contracts/AsureToken.sol

Conclusion

The audited contracts can be deployed safely.