yuriy77k/ETH_Dai_report.md

## ETH_Dai_report.md

      
    Raw
  

              ETH_Dai_report.md
            
          
    Dai Security Audit Report

1. Summary

Dai smart contract security audit report performed by Callisto Security Audit Department

Audit Top 200 CoinMarketCap tokens.
Dai (DAI) stablecoin.

http://www.makerdao.com/
2. In scope


DaiToken.sol

3. Findings

In total, ** issues** were reported including:


3 low severity issues.


notes.


4 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).


No critical security issues were found.
3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description


It is possible to double withdrawal attack. More details here.


Lack of transaction handling mechanism issue. WARNING!  This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.


Recommendation

Add the following code to the transfer(_to address, ...) function:
require( _to != address(this) );


3.2. Blocking transferring

Severity: owner privileges

Description

The contract owner allowed to block transfer functions( transferFrom, approve, mint, burn).
Code snippet


Line 234.

3.3. ERC20 Compliance — event missing

Severity: low

Description

According to ERC20 standard when coins are minted(or burned) a Transfer event should be emitted.
Code snippet


Lines 423, 428, 303.

3.4. Checking input addresses

Severity: low

Description

Incoming addresses should be checked for an empty value(0x0 address) to avoid loss of funds or blocking some functionality.
Code snippet


setOwner function (lines 129-135)
transferFrom function (lines 390-405)

4. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.
5. Revealing audit reports

https://gist.github.com/yuriy77k/bf2ea7c611b07073262d216d05de3b30
https://gist.github.com/yuriy77k/8cc19398ee91c3dd236f30a5b91c2d97