ZRX Token smart contract security audit report performed by Callisto Security Audit Department
Token desription:
Symbol : ZRX
Name : 0x Protocol Token
Total supply: 1,000,000,000
Decimals : 18
Standard : ERC20
In total, 4 issues were reported including:
-
1 medium severity issues.
-
3 low severity issues.
No critical security issues were found.
-
It is possible to double withdrawal attack. More details here.
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add the following code to the transfer(_to address, ...)
function:
require( _to != address(this) );
- Following EIP-20 specifications
transfer
should throw when themsg.sender
doesn't have enough fund. - Same as previously following the specifications
transferFrom
should throw and not return false if the_from
address doesn't have enough of fund or if the allowed value isn't enough to cover the transaction_value
.
https://gist.github.com/yuriy77k/9e3f16ce8289f6fafa64c9fee13dfd1f#file-zrxtoken-sol-L60
https://gist.github.com/yuriy77k/9e3f16ce8289f6fafa64c9fee13dfd1f#file-zrxtoken-sol-L70
Even if the likelihood of such issue to represent a risk for users is very low, the reimplemented transferFrom
with unlimited allowance to an address is not complaint with ERC-20 standard. Users should be aware of it.
https://gist.github.com/yuriy77k/9e3f16ce8289f6fafa64c9fee13dfd1f#file-zrxtoken-sol-L108
In functions transfer
and transferFrom
there are no zero address checking.
https://gist.github.com/yuriy77k/9e3f16ce8289f6fafa64c9fee13dfd1f#file-zrxtoken-sol-L60
https://gist.github.com/yuriy77k/9e3f16ce8289f6fafa64c9fee13dfd1f#file-zrxtoken-sol-L70
The audited code has some ERC20 compliance issues.
https://gist.github.com/yuriy77k/3a07536517aef3a02b64024db39f5407
https://gist.github.com/yuriy77k/471b6aeffdc8bc2c5c6a406dbe656ec7
https://gist.github.com/yuriy77k/dfa68fb6651cd142bc1ae85c681dc58c