The audit focused primarily on the security of Travelvee smart contract.
In total, 4 issues were reported including:
2 high severity issues.
1 medium severity issues.
1 low severity issues.
1. Transfer hack possibility
In function sendBatchCS there is possibility for owner to make a hack. For example, he can send very small amount of tokens to lot of people and at this time he can call transfer function and send all tokens to someone, this function will continue working, because there will be used variable, not real balance of owner and because of this he could have full balance at the end of function call. Owner calls sendBatchCS with 100 addresses and decided to send 1 token for each airdrop user,at the time of sending ha can call transfer function to some address and if this transfer function will be on blockchain earlier, than his balance will be updated by line 154, like he didnt transfer any token to someone.
Instead of using variable
senderBalance subtract from the balance of owner for preventing from issue described above.
require(_balances[msg.sender] >= value); _balances[msg.sender] = _balances[msg.sender] - value;
2. Wrong calculation of sold tokens
_ICOSale there is adding token amount with bonuses to sold tokens amount(which calculated without bonuses) and because of this there should be situations, that user will be not able to buy.
Pass to function
_processPurchase only token amount without bonuses in line 307
3. Power of owner
There is external function burn for burning all none-sold tokens, but also in concstructor there is in line 137 setting that owner is able to
transferFrom from this contract to his balance and he can transfer this tokens to his balance instead of burning.
Owner shouldn't have permisions to transfer tokens from contract balance, because he can transfer it to himself instead of burning extra tokens. So we recommend you to distribute all the tokens in constructor, because there is extra 14m tokens left after the sale and it should be distributed.
4. Known vulnerabilities of ERC-20 token
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. More details here
Smart contract has High severity issues which should be fixed.