Skip to content

Instantly share code, notes, and snippets.

@yuriy77k

yuriy77k/ETH_Pcore_report.md

Created April 8, 2019 18:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save yuriy77k/cf93e25768896a58f1432f7992018a46 to your computer and use it in GitHub Desktop.
Save yuriy77k/cf93e25768896a58f1432f7992018a46 to your computer and use it in GitHub Desktop.
Download ZIP
Pcore Token Audit Report.
Raw
ETH_Pcore_report.md

Security Audit Report

1. Summary

Pcore Token smart contract security audit report performed by Callisto Security Audit Department

2. In scope

Commit hash 3ebca579f6c1d65de75463736f0af193c2d7f153.

3. Findings

In total, 5 issues were reported including:

  • 1 medium severity issues.

  • 2 low severity issues.

  • 2 minor observation.

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low

Description

  1. It is possible to double withdrawal attack. More details here.

  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. Anyone can get owner's rights

Severity: medium

Description

Owned2() is not a constructor of the contract and it's should be called manually. But it is public method and anyone can call it and become an owner. And owner can get any accidentally sent ERC20 tokens.

Code snippet

https://github.com/PcoreOfficial/PcoreToken/blob/3ebca579f6c1d65de75463736f0af193c2d7f153/PCC.sol#L64

Recommendation

Use constructor Owned() for this purpose.

3.3. Token Transfer to 0x0 address

Severity: low

Description

Description

Transfer & transferFrom functions do not prevent from sending tokens to address 0x0.

Code snippet

https://github.com/PcoreOfficial/PcoreToken/blob/3ebca579f6c1d65de75463736f0af193c2d7f153/PCC.sol#L136

https://github.com/PcoreOfficial/PcoreToken/blob/3ebca579f6c1d65de75463736f0af193c2d7f153/PCC.sol#L169

Recommendations

Add zero address checking

require(to != address(0));

3.4. Deprecated method.

Severity: minor observation

Description

The function () payable { revert(); } was a pattern used to prevent implicit acceptance of ether in Solidity versions older than 0.4.0, but today this is unneeded.

Code snippet

https://github.com/PcoreOfficial/PcoreToken/blob/3ebca579f6c1d65de75463736f0af193c2d7f153/PCC.sol#L200-L202

3.5. Unknown version of solidity.

Severity: minor observation

Description

Source file does not specify required compile version.

4. Conclusion

The review did not show any critical issues, some of medium and low severity issues were found.

5. Revealing audit reports

https://gist.github.com/yuriy77k/031f96c602b379d9802f4059f5961111

https://gist.github.com/yuriy77k/22cc631b0a8ab38f3ceacf728ca89a87

https://gist.github.com/yuriy77k/d551928bd46247f667d33f208d53b716

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment