Skip to content

Instantly share code, notes, and snippets.

@yuriy77k
Forked from gorbunovperm/ETH_Idex_report.md
Created May 29, 2019 14:34
Show Gist options
  • Save yuriy77k/cf776b11b3297a0b0a46e50349ecc78a to your computer and use it in GitHub Desktop.
Save yuriy77k/cf776b11b3297a0b0a46e50349ecc78a to your computer and use it in GitHub Desktop.
Idex security audit report

Idex security audit report

Summary

This is the report from a security audit performed on Idex by gorbunovperm.

It is an Ethereum-driven decentralized exchange that supports Ethereum and ERC20 token trading pairs.

https://idex.market/

In scope

Commit hash: efdf556013c20b225ae31261ef95d8911e0b37fe

  1. DVIP.sol
  2. Exchange.sol
  3. ExchangeWhitelist.sol
  4. MyToken.sol
  5. lib/

Findings

In total, 5 issues were reported including:

  • 0 critical severity issue.

  • 0 high severity issue.

  • 0 medium severity issues.

  • 5 low severity issues.

  • 0 minor observations.

Security issues

1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  • It is possible to double withdrawal attack. More details here

  • Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

Recommendation

Add into a function transfer(address _to, ... ) following code:

require( _to != address(this) );

2. ERC20 Compliance: event missing

Severity: low

Code snippet

Description

According to ERC20 standard, when initializing a token contract if any token value is set to any given address a Transfer event should be emitted. An event isn't emitted when assigning the initial supply to the msg.sender.

3. Required check for an empty address

Severity: low

Code snippet

Description

It is possible to send tokens to 0x0 address by accidently.

4. ERC20 Complince: transfer function returns nothing

Severity: low

Code snippet

Description

Following the specification, this function should return true or false.

5. Incorrect Deposit event argument

Severity: low

Code snippet

Description

The deposit can be made both in tokens and ethers but in both cases Deposit event is emitted with amount(of tokens) parameter.

Recommendation

In case of deposit in ethers, the msg.value should be used instead amount parameter.

Conclusion

There are some vulnerabilities were discovered in these contracts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment