This document is a security audit report performed by RideSolo, where WeiDex has been reviewed.
- Exchange.sol github commit hash db7124b565567e248dd78e2f14ed309128276a22.
- ExchangeBatchTrade.sol github commit hash 13fdd9261cdd78da524884bc104acafbb5551ef2.
- ExchangeMovements.sol github commit hash 849237c8c44d1ffa97f3c40e808b731791649343.
- ExchangeOffering.sol github commit hash ed7a514bf9c62aa9bb16e59ec10b3477d0ca2b7d.
- ExchangeStorage.sol github commit hash 13fdd9261cdd78da524884bc104acafbb5551ef2.
- ExchangeUpgradability.sol github commit hash 13fdd9261cdd78da524884bc104acafbb5551ef2.
- WeiDex.sol github commit hash 4c835122474f34344405dcf6dd12a897f7697b27.
- OldERC20.sol github commit hash 13fdd9261cdd78da524884bc104acafbb5551ef2.
- SimpleOldToken.sol github commit hash 13fdd9261cdd78da524884bc104acafbb5551ef2.
- SimpleToken.sol github commit hash e0a5e7794ca31d8f021a392f6bd4ba345d186506.
- LibCrowdsale.sol github commit hash ed7a514bf9c62aa9bb16e59ec10b3477d0ca2b7d.
- LibMath.sol github commit hash 13fdd9261cdd78da524884bc104acafbb5551ef2.
- LibOrder.sol github commit hash e0a5e7794ca31d8f021a392f6bd4ba345d186506.
- LibSignatureValidator.sol github commit hash 19f4791d4423a8a8ce10d546278a7dc6048e660b.
- IExchangeUpgradability.sol github commit hash 19f4791d4423a8a8ce10d546278a7dc6048e660b.
6 issues were reported including:
-
2 medium severity issues.
-
4 low severity issues.
Referrals addresses are set in deposit
function member of ExchangeMovements
contract, if the users do not input a referral address and leave it empty, the referral reward will be assigned to address(0)
in executeTrade
function member of Exchange
contract.
The impact will be locking an amount of different tokens to address 0x0 without possibility of withdrawal, the amount can vary following the traded volume and the number of users without referral addresses.
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/Exchange.sol#L242
Check referrer
address in executeTrade
where referrer
should be different than address(0)
and allocate the referral reward following the result.
importEthers/importTokens
function member of ExchangeUpgradability
do not set the referral address for a user when importing the user fund from an old exchange address. this issue will cause the same problem described in " Referral Reward" issue.
In transfer
function member of ExchangeMovements
contract some requirement should be set to avoid sending balances to wrong addresses.
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/ExchangeMovements.sol#L119
Add the following lines to the function:
require(to!=address(0));
require(to!=address(this));
migrateFunds
function member of ExchangeUpgradability
does not check if the new exchange address is set to non null address.
The following issues are part of mock files that are probably used for test only:
transfer/transferFrom
do not require the destination address to avoid zero address transfer or any other erroneous address .- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/mocks/OldERC20.sol
As raised by the compiler "Experimental features are turned on. Do not use experimental features on live deployments" the audited code uses ABIEncoderV2
that is in experimental phase and should not be deployed in a live network.
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/Exchange.sol#L2
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/ExchangeBatchTrade.sol#L2
https://github.com/RideSolo/weidex-eth-v2/blob/master/contracts/exchange/ExchangeOffering.sol#L2
The audited contract cannot be deployed. All issues should be fixed including "Experimental Features" even if it is marked low severity.