Skip to content

Instantly share code, notes, and snippets.

@yuriy77k
Forked from RideSolo/ETH_BankorusToken_report.md
Created May 24, 2019 09:08
Show Gist options
  • Save yuriy77k/9b9ce332054f0feedaddefa6544ad645 to your computer and use it in GitHub Desktop.
Save yuriy77k/9b9ce332054f0feedaddefa6544ad645 to your computer and use it in GitHub Desktop.

Bankorus Token Audit Report.

1. Summary

This document is a security audit report performed by RideSolo, where Bankorus Token has been reviewed.

Symbol      : BKTS
Name        : Bankorus Token
Total supply: Mintable
Decimals    : 18 
Standard    : ERC20

2. In scope

3. Findings

3 issues were reported including:

  • 3 low severity issues.

3.1. Owner Priviliges:

Severity: low

Description

  • Pause/Unpause token transfers and approvals.
  • Unlimited token minting.

Code snippet

    modifier whenNotPaused() {
        require(!_paused);
        _;
    }
    function mint(address to, uint256 value) public onlyMinter returns (bool) {
        _mint(to, value);
        return true;
    }

3.2. Decrease Allowance

Severity: low

Description

decreaseAllowance throw in case if the value to be substracted is higher than the amount that is allowed, if the address owner wants to change the value allowed by reducing it and the spender withdraw a part of it before, the function might throw and give more chances for the spender to take the rest of the allowed value.

The value should be set to zero if the value to be subtracted is higher than the allowance.

Code snippet

    function decreaseAllowance(address spender, uint256 subtractedValue) public returns (bool) {
        _approve(msg.sender, spender, _allowed[msg.sender][spender].sub(subtractedValue));
        return true;
    }

3.3. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here
  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

Code snippet

    function _transfer(address from, address to, uint256 value) internal {
        require(to != address(0));

        _balances[from] = _balances[from].sub(value);
        _balances[to] = _balances[to].add(value);
        emit Transfer(from, to, value);
    }

Recommendation

Add the following code to the _transfer(_to address, ...) function:

require( to != address(this) );
    function _transfer(address from, address to, uint256 value) internal {
        require(to != address(0));
	require( to != address(this) );

        _balances[from] = _balances[from].sub(value);
        _balances[to] = _balances[to].add(value);
        emit Transfer(from, to, value);
    }

4. Conclusion

The audited contract can be deployed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment