Skip to content

Instantly share code, notes, and snippets.

@yuriy77k

yuriy77k/ETH_LUTOKEN_audit_report.md Secret

Created May 22, 2019 12:22
Show Gist options
  • Save yuriy77k/c34b18d43ab2d60a02f195061ae1a4d5 to your computer and use it in GitHub Desktop.
Save yuriy77k/c34b18d43ab2d60a02f195061ae1a4d5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ETH_LUTOKEN_audit_report.md

LUTOKEN audit report.

1. Summary

This document is a security audit report performed by danbogd, where LUTOKEN has been reviewed.

2. In scope

Сommit hash efdf556013c20b225ae31261ef95d8911e0b37fe.

3. Findings

In total, 7 issues were reported including:

  • 1 high severity issues
  • 3 low severity issues
  • 2 owner privileges (ability of owner to manipulate contract, may be risky for investors)..
  • 1 notes.

No critical security issues were found.

3.1. Token upgrade mechanism

Severity: high

Description

In this implementation of token upgrade mechanism where users can opt-in amount of tokens to the next smart contract revision it is posible that the new version of contract permitted to mint new LUTOKENS tokens. The ability to control the address also allows the ability to set new rules that govern how the token can be minted. From an investor’s perspective, this effectively allows LUTOKEN to arbitrarily control the way that new tokens are minted in the future.

The owners can implement any logic in the new contract. And even if the new contract will be audited, at any time possible to change the address of the new contract again to not audited and insecure.

Code snippet

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L503

3.2. Missing event call.

Severity: low

Description

According to ERC20 standard, when initializing a token contract if any token value is set to any given address a transfer event should be emitted. An event isn't emitted when assigning the initial supply to the msg.sender.

Code snippet

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L585

3.3. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

3.4. Required check for an 0x0 address

Severity: low

Description

It is possible to remain out of contract control by accidentally calling setSale function without parameter.

Code snippet

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L617

3.5. Owner Privileges

Severity: owner previliges

Description

Contract owner allow himself to:

Pause/unpause transfer/transferFrom, check here. Frozen/unfrozen transfer/transferFrom, check here.

3.6. Burn function

Severity: note

Description

The LutToken contract defines an internal function,_burn, which is only used in the burn function. This internal function is unnecessary, and the function logic can be implemented directly in burn.

Code snippet

https://github.com/CINEMADROM/SMART-CONTRACT/blob/efdf556013c20b225ae31261ef95d8911e0b37fe/LUTOKEN.sol#L272

4. Conclusion

The audited smart contract is not safe to deploy. High severity issue was found during the audit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment