MagicChain security audit report

ETH_MagicChain_report.md

MagicChain security audit report

Summary

This is the report from a security audit performed on magicchain-blockchain by gorbunovperm.

Smart contract issued ERC223 token. Constant emission, but half of the tokens are frozen. Unfreeze 5 tokens with every Ethereum block.

In scope

1. MagicChain223.sol

Findings

In total, 3 issues were reported including:

• 1 high severity issue.

• 0 medium severity issues.

• 2 low severity issues.

• 0 minor observations.

Security issues

1. Known vulnerabilities of ERC-20 token

Severity: low

Description

• It is possible to double withdrawal attack. More details here

Recommedation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

2. Incorrect Cold Storage maximum supply

Severity: high

Code snippet

• incorrect unfreezed value
• unfreezed value used in _transfer function

Description

Maximum possible balance of ColdStorage is _totalSupplyLimit - _initialSupply. But unfreezed function incorrectly calculates available funds. This allows to transfer twice as much tokens as possible.

Recommendation

Use correct calculation like this:

    if(u > _totalSupplyLimit - _initialSupply) {
        u = _totalSupplyLimit - _initialSupply;
    }

3. Reentrancy Attack protection

Severity: low

• transferFrom

Description

For greater security, swap _transfer and _approve calls. Otherwise, the potentially unsafe contract(receiver.tokenFallback) is called first and only then _allowed value is reduced. In this case, SafeMath library protects the contract but it is better to protect yourself from potential attacks.

Conclusion

There are some vulnerabilities were discovered in this contract.