aXpire Audit Report.
Symbol : AXPR Name : aXpire Total supply: 350,000,000 Decimals : 18 Standard : ERC20
2. In scope
7 issues were reported:
- 1 high severity issues.
- 2 medium severity issues.
- 4 low severity issues.
3.1. ERC-20 Compliance
Following EIP-20 specifications:
- Transfers of 0 values "MUST" be treated as normal transfers and fire the Transfer event, this issues is applicable for both
valueis equal to 0 the functions do not fire a Transfer event and return false.
transfer"SHOULD" throw when the
msg.senderdoesn't have enough fund.
- Same as previously following the specifications
transferFromshould throw and not return false if the
_fromaddress doesn't have enough of fund or if the allowed value isn't enough to cover the transaction
3.2. Token Cap
tokenCreationCap is set be 350M tokens, in the contructor
tokenCreationCap is totaly assigned to
escrowFundDeposit, meaning that no more token creation can be done.
However in the sale functin
createTokens investors can by tokens using ether, all bought tokens are added to the
totalSupply that already include
tokenCreationCap that was already given to
escrowFundDeposit. The total supply checking is done using
checkedSupply that is the addition of the
totalSupply and the tokens bought
tokens as commented
check that we're not over totals, but there is not limit in
totalSupply creation since the values are just added.
Please note that the following condition will never throw,
tokenCreationCap will be always lower than
if (tokenCreationCap < checkedSupply) revert(); // odd fractions won't be found
3.3. Owner Priviliges
Contract owner allow himself to:
- Burn from any address, making all users at a critical severity risk, such behavior cannot be accepted by the investors. Once tokens are allocated to and address it belongs only to that address to burn the tokens, check here.
approval/transfer/transferFrom, check here.
- halt/unhalt token sale, check here.
- Ico can be ended by owner only, check here.
- Reset the sale exchange rate at any moment, check here.
3.4. Allowance Approval
Following ERC20 standard,
approve function "Allows _spender to withdraw from your account multiple times, up to the _value amount. If this function is called again it overwrites the current allowance with _value.", However the implemented function throw in case if
allowed[msg.sender][_spender] is different than zero and
_value different than zero. this partialy solve double withdrawal attack but create incompatibility for some Dapps, and do not allow the user to directly reduce the allowance creating a race betweenn user and spender.
3.5. Transfer Event
Following EIP-20 when "A token contract which creates new tokens SHOULD trigger a Transfer event with the
_from address set to 0x0 when tokens are created".
This issue issue is related with both constructor and
createTokens function since tokens are created and transfer event is not triggered.
3.6. Transfer to address(0)
transferFrom transfers to
address(0) are allowed.
3.7. Known vulnerabilities of ERC-20 token
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Add the following code to the
transfer(_to address, ...) function:
require( _to != address(this) );
Token and ICO are implemented on the blockchain to decentralize and limit human intervention and possible hacks, The implemented token is completely centralized around the owner. Investos are not safe.