This is the report from a security audit performed on ONEX by MrCrambo.
The audit focused primarily on the security of ONEX smart contract.
In total, 5 issues were reported including:
-
3 high severity issues.
-
0 medium severity issues.
-
2 low severity issues.
In function getProofOfStakeReward
there is wrong interest calculation for first two years, because maxMintProofOfStake
is default 10% annual interest as written in line 80 and interest
for first year should be 100% that means 10 times more than maxMintProofOfStake
, but it calculates as interest = (770 * maxMintProofOfStake).div(100);
that means it's less than 100%. Similar situation with calculations for second year.
Rewrite the logic of interest
calculation.
_coinAge
variable calculates as sum of tokens amount and days count that means it's wrong calculation, because tokens amount and time are different variable types.
Rewrite the logic of _coinAge
variable calculation.
In [mint
] function if someone transfered you some tokens in last three days, this transfers history will be removed and user will not get _coinAge
value for this transfers.
Rewrite the logic of mint
because some transfers could be removed before getting reward for them.
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. More details here
In transferToAddress
function there is no zero address checking.
Add zero address checking
require(_to != address(0));
Smart contract has high severity issues, which should be fixed.