This document is a security audit report performed by RideSolo, where MagicChain has been reviewed.
Token desription:
Symbol : MAGI
Name : MagicChain
Total supply: 42,000,000
Decimals : 6
Standard : ERC223
- MagicChain223.sol github commit hash 79527134d9b7e2fb11584ff52692fb4e2eab88dd.
3 issues were reported:
- 2 medium severity issues.
- 1 minor remark.
ERC-223 standard do not implement a transferFrom
function, however the audited code contains a transferFrom
function that share the same code (_transfer
) as transfer
function, knowing that many contract use transferFrom
to handle approved token the audited implementation will cause backward compatibility issues with many deployed and probably future deployed contracts.
For example if an address approve tokens to a contract address and the contract address try to call transferFrom
to transfer the tokens to itself to be able to execute any logic and knowing that most contract do not implement tokenFallback
function the transaction will throw.
ERC223 is intended to fix issues for direct transfer using transfer
function only not transferFrom
.
For more information check here.
https://github.com/RideSolo/magicchain-blockchain/blob/master/smartcontracts/MagicChain223.sol#L178
unfreezed
compute the unfreezed value of tokens since _firstBlock
, however the condition in that function is used to limit the unfreezed token to a maximum of _totalSupplyLimit
which is wrong since half of the total supply is assigned to the owner in the constructor.
The condition should limit the unfreezed token to half of _totalSupplyLimit
otherwise the total supply will be equal to 63M not to 42M, when totalSupply
function will return 42M.
Please note that balanceOf
cold storage address will throw when _coldStorageOut
will be higher than _initialSupply
.
transferFrom
function calls _transfer
where an external call is made using tokenFallback
, if the _to
address is a contract a reentrancy scheme is possible since _approve
is reseting the value after the call to _transfer
but with no impact since SafeMath will throw.
Always check and set the variables before making any external call.
The audited contract contains compatibility issues with contracts that implement ERC20 approve and call mechanism, all the highlighted issues should be solved before deployment.