Skip to content

Instantly share code, notes, and snippets.

@yuriy77k yuriy77k/Travelvee.md Secret forked from MrCrambo/Travelvee.md
Created Dec 19, 2018

Embed
What would you like to do?

Summary

This is the report from a security audit performed on Travelvee by MrCrambo.

The audit focused primarily on the security of Travelvee smart contract.

In scope

  1. https://github.com/travelvee/TravelToken/blob/master/travel.sol

Findings

In total, 4 issues were reported including:

  • 2 high severity issues.

  • 1 medium severity issues.

  • 1 low severity issues.

Security issues

1. Transfer hack possibility

Severity: high

Description

In function sendBatchCS there is possibility for owner to make a hack. For example, he can send very small amount of tokens to lot of people and at this time he can call transfer function and send all tokens to someone, this function will continue working, because there will be used variable, not real balance of owner and because of this he could have full balance at the end of function call. Owner calls sendBatchCS with 100 addresses and decided to send 1 token for each airdrop user,at the time of sending ha can call transfer function to some address and if this transfer function will be on blockchain earlier, than his balance will be updated by line 154, like he didnt transfer any token to someone.

Recommendation

Instead of using variable senderBalance subtract from the balance of owner for preventing from issue described above.

require(_balances[msg.sender] >= value);
_balances[msg.sender] = _balances[msg.sender] - value;

2. Wrong calculation of sold tokens

Severity: high

Description

In function _ICOSale there is adding token amount with bonuses to sold tokens amount(which calculated without bonuses) and because of this there should be situations, that user will be not able to buy.

Recommendation

Pass to function _processPurchase only token amount without bonuses in line 307

3. Power of owner

Severity: medium

Description

There is external function burn for burning all none-sold tokens, but also in concstructor there is in line 137 setting that owner is able to transferFrom from this contract to his balance and he can transfer this tokens to his balance instead of burning.

Recommendation

Owner shouldn't have permisions to transfer tokens from contract balance, because he can transfer it to himself instead of burning extra tokens. So we recommend you to distribute all the tokens in constructor, because there is extra 14m tokens left after the sale and it should be distributed.

4. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here
  2. Lack of transaction handling mechanism issue. More details here

Conclusion

Smart contract has High severity issues which should be fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.