This is the report from a security audit performed on Travelvee by MrCrambo.
The audit focused primarily on the security of Travelvee smart contract.
In total, 4 issues were reported including:
-
2 high severity issues.
-
1 medium severity issues.
-
1 low severity issues.
In function sendBatchCS there is possibility for owner to make a hack. For example, he can send very small amount of tokens to lot of people and at this time he can call transfer function and send all tokens to someone, this function will continue working, because there will be used variable, not real balance of owner and because of this he could have full balance at the end of function call. Owner calls sendBatchCS with 100 addresses and decided to send 1 token for each airdrop user,at the time of sending ha can call transfer function to some address and if this transfer function will be on blockchain earlier, than his balance will be updated by line 154, like he didnt transfer any token to someone.
Instead of using variable senderBalance
subtract from the balance of owner for preventing from issue described above.
require(_balances[msg.sender] >= value);
_balances[msg.sender] = _balances[msg.sender] - value;
In function _ICOSale
there is adding token amount with bonuses to sold tokens amount(which calculated without bonuses) and because of this there should be situations, that user will be not able to buy.
Pass to function _processPurchase
only token amount without bonuses in line 307
There is external function burn for burning all none-sold tokens, but also in concstructor there is in line 137 setting that owner is able to transferFrom
from this contract to his balance and he can transfer this tokens to his balance instead of burning.
Owner shouldn't have permisions to transfer tokens from contract balance, because he can transfer it to himself instead of burning extra tokens. So we recommend you to distribute all the tokens in constructor, because there is extra 14m tokens left after the sale and it should be distributed.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. More details here
Smart contract has High severity issues which should be fixed.