Skip to content

Instantly share code, notes, and snippets.

@yuriy77k

yuriy77k/ETH_ZRX_report.md Secret

Forked from MrCrambo/ETH_ZRX_report.md
Created April 14, 2019 09:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yuriy77k/471b6aeffdc8bc2c5c6a406dbe656ec7 to your computer and use it in GitHub Desktop.
Save yuriy77k/471b6aeffdc8bc2c5c6a406dbe656ec7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ETH_ZRX_report.md

Summary

This is the report from a security audit performed on ZRX by MrCrambo.

The audit focused primarily on the security of ZRX smart contract.

In scope

  1. https://gist.github.com/yuriy77k/9e3f16ce8289f6fafa64c9fee13dfd1f

Findings

In total, 3 issues was reported including:

  • 0 high severity issues.

  • 1 medium severity issues.

  • 2 low severity issues.

Security issues

1. ERC20 Compliance

Severity: medium

Description

From ERC-20 specification:

The function SHOULD throw if the _from account balance does not have enough tokens to spend.

But in this implementation transfer(Line 60) and transferFrom(Line 70) functions just return false. This can lead to serious consequences.

Recommendation

Use require(...) instead of if () when check sender balance.

2. No zero address checking

Severity: low

Description

In functions transfer(Line 60) and transferFrom(Line 70) there are no zero address checking.

3. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here
  2. Lack of transaction handling mechanism issue. More details here

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

Conclusion

Smart contract contains medium severity issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment