ETH_USDT_Report.md

Summary

This is the report from a security audit performed on USDT by MrCrambo.

The audit focused primarily on the security of USDT smart contract.

In scope

1. https://etherscan.io/address/0xdac17f958d2ee523a2206206994597c13d831ec7#contracts

Findings

In total, 8 issues were reported including:

• 0 high severity issues.

• 2 medium severity issues.

• 1 owner privilegies issues.

• 5 low severity issues.

• 0 notes.

Security issues

1. No events

Severity: note

Description

There is no event in function transferOwnership.

2. Zero address chekcing

Severity: low

Description

There are no zero address checking in functions transfer and transferFrom.

3. Allowance decrease

Severity: low

Description

In function transferFrom there is possibility, that allowed amount will not be decreased, in case of allowed will be equal to MAX_UINT

4. Owner privilegies

Severity: owner privilegies

Description

Owner can pause contract any time he wants.

5. Blacklist funds

Severity: medium

Description

Owner can add to isBlackListed array any address and can destroy all funds of this user without any restrictions.

6. Unlimited minting

Severity: medium

Description

Using function issue owner can mint any amount of tokens any time, so there is possibility of unlimited minting.

7. Blacklisted user transfering

Severity: low

Description

There is possibility that using transfer function funds will be sent to blacklisted user.

8. Known vulnerabilities of ERC-20 token

Severity: low

Description

1. It is possible to double withdrawal attack. More details here
2. Lack of transaction handling mechanism issue. More details here

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

Conclusion

Smart contract contains medium severity issues.