This is the report from a security audit performed on ZRX by MrCrambo.
The audit focused primarily on the security of ZRX smart contract.
In total, 3 issues was reported including:
-
0 high severity issues.
-
1 medium severity issues.
-
2 low severity issues.
From ERC-20 specification:
The function SHOULD throw if the _from account balance does not have enough tokens to spend.
But in this implementation transfer
(Line 60) and transferFrom
(Line 70) functions just return false. This can lead to serious consequences.
Use require(...)
instead of if ()
when check sender balance.
In functions transfer
(Line 60) and transferFrom
(Line 70) there are no zero address checking.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. More details here
Add into a function transfer(address _to, ... )
following code:
require( _to != address(this) );
Smart contract contains medium severity issue.