This is the report from a security audit performed on AMO by MrCrambo.
The audit focused primarily on the security of AMO smart contracts.
- https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoin.sol
- https://github.com/AMO-Project/AMO-Contracts/blob/master/contracts/AMOCoinSale.sol
In total, 7 issues were reported including:
-
0 high severity issues.
-
2 medium severity issues.
-
3 owner privilegies issues.
-
2 low severity issues.
There is possibility of setting zero address as admin in function AMOCoin and as contract address in function setTokenSaleAmount.
Check address for zero address:
require(_adminAddr != address(0));Owner can disable transfer functions any time he wants.
Owner can disable any amount of tokens for any address using function lockAccount.
Modifier will fail the function in case of transfering funds to sale address. For example in function setTokenSaleAmount there are approving funds for tokenSaleAddr. And after it should be transfered from to this address, but transferFrom function checks with using onlyValidDestination(to) modifier.
In function allocateTokensToMany there is possibility of Out of gas in case array will have lot of addresses and function should be call transferFrom function each time.
Owner can change minContribution, maxContribution, rate and hardCap for each sale round before starting sale.
Owner can start any round in any order, because there is no checking in function setUpSale that rounds will be in correct order.
Smart contract contains medium severity issues and should be fixed.