Pcore Token smart contract security audit report performed by Callisto Security Audit Department
Commit hash 3ebca579f6c1d65de75463736f0af193c2d7f153.
In total, 5 issues were reported including:
-
1 medium severity issues.
-
2 low severity issues.
-
2 minor observation.
No critical security issues were found.
-
It is possible to double withdrawal attack. More details here.
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add the following code to the transfer(_to address, ...)
function:
require( _to != address(this) );
Owned2() is not a constructor of the contract and it's should be called manually. But it is public method and anyone can call it and become an owner. And owner can get any accidentally sent ERC20 tokens.
Use constructor Owned()
for this purpose.
Transfer
& transferFrom
functions do not prevent from sending tokens to address 0x0.
Add zero address checking
require(to != address(0));
The function () payable { revert(); }
was a pattern used to prevent implicit acceptance of ether in Solidity versions older than 0.4.0, but today this is unneeded.
Source file does not specify required compile version.
The review did not show any critical issues, some of medium and low severity issues were found.
https://gist.github.com/yuriy77k/031f96c602b379d9802f4059f5961111
https://gist.github.com/yuriy77k/22cc631b0a8ab38f3ceacf728ca89a87
https://gist.github.com/yuriy77k/d551928bd46247f667d33f208d53b716