This is the report from a security audit performed on ONEX by MrCrambo.
The audit focused primarily on the security of ONEX smart contract.
In total, 5 issues were reported including:
-
3 high severity issues.
-
0 medium severity issues.
-
2 low severity issues.
In function getProofOfStakeReward there is wrong interest calculation for first two years, because maxMintProofOfStake is default 10% annual interest as written in line 80 and interest for first year should be 100% that means 10 times more than maxMintProofOfStake, but it calculates as interest = (770 * maxMintProofOfStake).div(100); that means it's less than 100%. Similar situation with calculations for second year.
Rewrite the logic of interest calculation.
_coinAge variable calculates as sum of tokens amount and days count that means it's wrong calculation, because tokens amount and time are different variable types.
Rewrite the logic of _coinAge variable calculation.
In [mint] function if someone transfered you some tokens in last three days, this transfers history will be removed and user will not get _coinAge value for this transfers.
Rewrite the logic of mint because some transfers could be removed before getting reward for them.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. More details here
In transferToAddress function there is no zero address checking.
Add zero address checking
require(_to != address(0));Smart contract has high severity issues, which should be fixed.