Skip to content

Instantly share code, notes, and snippets.

@yuriy77k

yuriy77k/ETH_CRAD_CASH_report.md Secret

Forked from MrCrambo/ETH_CRAD_CASH_report.md
Created April 26, 2019 16:07
Show Gist options
  • Save yuriy77k/c95a37906e305d52097cde1b27542e35 to your computer and use it in GitHub Desktop.
Save yuriy77k/c95a37906e305d52097cde1b27542e35 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ETH_CRAD_CASH_report.md

Summary

This is the report from a security audit performed on CRAD_CASH by MrCrambo.

The audit focused primarily on the security of CRAD_CASH smart contracts.

In scope

  1. https://etherscan.io/address/0x608f006b6813f97097372d0d31fb0f11d1ca3e4e#code

Findings

In total, 3 issues were reported including:

  • 0 high severity issues.

  • 2 medium severity issues.

  • 1 low severity issues.

Security issues

1-2. Wrong ERC223 implementation

Severity: medium

Description

Smart contract implements ERC223 wrongly.

  1. transfer(address _to, uint _value) function at line 94 also should call token fallback function
  2. transfer(address _to, uint _value, bytes memory _data) function at line 146 works wrongly, there should be token fallback call only after adding and subtracting user balances as in ERC223 standard.

3. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here
  2. Lack of transaction handling mechanism issue. More details here

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

Conclusion

Smart contract contains medium severity issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment