This document is a security audit report performed by RideSolo, where MagicChain has been reviewed.
Token desription:
Symbol : MAGI
Name : MagicChain
Total supply: 42,000,000
Decimals : 6
Standard : ERC223
- MagicChain223.sol github commit hash 79527134d9b7e2fb11584ff52692fb4e2eab88dd.
3 issues were reported:
- 2 medium severity issues.
- 1 minor remark.
ERC-223 standard do not implement a transferFrom function, however the audited code contains a transferFrom function that share the same code (_transfer) as transfer function, knowing that many contract use transferFrom to handle approved token the audited implementation will cause backward compatibility issues with many deployed and probably future deployed contracts.
For example if an address approve tokens to a contract address and the contract address try to call transferFrom to transfer the tokens to itself to be able to execute any logic and knowing that most contract do not implement tokenFallback function the transaction will throw.
ERC223 is intended to fix issues for direct transfer using transfer function only not transferFrom.
For more information check here.
https://github.com/RideSolo/magicchain-blockchain/blob/master/smartcontracts/MagicChain223.sol#L178
unfreezed compute the unfreezed value of tokens since _firstBlock, however the condition in that function is used to limit the unfreezed token to a maximum of _totalSupplyLimit which is wrong since half of the total supply is assigned to the owner in the constructor.
The condition should limit the unfreezed token to half of _totalSupplyLimit otherwise the total supply will be equal to 63M not to 42M, when totalSupply function will return 42M.
Please note that balanceOf cold storage address will throw when _coldStorageOutwill be higher than _initialSupply.
transferFrom function calls _transfer where an external call is made using tokenFallback, if the _to address is a contract a reentrancy scheme is possible since _approve is reseting the value after the call to _transfer but with no impact since SafeMath will throw.
Always check and set the variables before making any external call.
The audited contract contains compatibility issues with contracts that implement ERC20 approve and call mechanism, all the highlighted issues should be solved before deployment.