This document is a security audit report performed by danbogd, where LUTOKEN has been reviewed.
Сommit hash efdf556013c20b225ae31261ef95d8911e0b37fe.
In total, 7 issues were reported including:
- 1 high severity issues
- 3 low severity issues
- 2 owner privileges (ability of owner to manipulate contract, may be risky for investors)..
- 1 notes.
No critical security issues were found.
In this implementation of token upgrade mechanism where users can opt-in amount of tokens to the next smart contract revision it is posible that the new version of contract permitted to mint new LUTOKENS tokens. The ability to control the address also allows the ability to set new rules that govern how the token can be minted. From an investor’s perspective, this effectively allows LUTOKEN to arbitrarily control the way that new tokens are minted in the future.
The owners can implement any logic in the new contract. And even if the new contract will be audited, at any time possible to change the address of the new contract again to not audited and insecure.
According to ERC20 standard, when initializing a token contract if any token value is set to any given address a transfer event should be emitted. An event isn't emitted when assigning the initial supply to the msg.sender.
-
It is possible to double withdrawal attack. More details here.
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add into a function transfer(address _to, ... )
following code:
require( _to != address(this) );
It is possible to remain out of contract control by accidentally calling setSale function without parameter.
Contract owner allow himself to:
Pause/unpause transfer/transferFrom, check here. Frozen/unfrozen transfer/transferFrom, check here.
The LutToken contract defines an internal function,_burn, which is only used in the burn function. This internal function is unnecessary, and the function logic can be implemented directly in burn.
The audited smart contract is not safe to deploy. High severity issue was found during the audit.