Skip to content

Instantly share code, notes, and snippets.

@yuriy77k yuriy77k/CryptoAds.md Secret forked from alexo18/CryptoAds.md
Created Aug 16, 2018

Embed
What would you like to do?

Ethereum Classic CryptoAds smart contract audit report.

Summary

This is the report from a security audit performed on CryptoAds smart contract (ETH) by alexo18. The audit focused primarily on the security of funds and fault tolerance of the CryptoAds contract. The main intention of this contract is to serve as utility token for advertisement platform CryptoAds (based on CFC.io)

In scope

CryptoAds.sol

Findings

In total, 4 issues were reported including:

  • 1 medium severity issues.
  • 3 low severity issues.

Security issues

1.Transfer to Address 0x0.

Severity: medium

Description

The 'address _to' parameter is not inspected for '0x0' value,so it is possible to accidentally send tokens to 0x0 address.

Code snippet

https://gist.github.com/yuriy77k/6f636b466df04c8ae0cc24e56b28e51a#L69#L214

Recommendation

Use a 'require' statement to inspect the parameter.

2.Using state-reverting exceptions to check input conditions.

Severity: low

Description

Some contract functions return '0' value in case if input conditions not met, but the caller may just not check the return value and expect a 'throw'.
A good code practice is to make your code fail as promptly and as loudly as possible. Also state-reverting exception will bubble up and revert changes made to the entire stack.

Code snippet

https://gist.github.com/yuriy77k/6f636b466df04c8ae0cc24e56b28e51a#L196#L217#L355#L370#L389#L401

3.Excessive conditicons checks.

Severity: low

Description

Some input parameters checks are excessive because their fulfillment is guaranteed by the SafeMath ,but, of course, SafeMath will 'throw'.

Code snippet

https://gist.github.com/yuriy77k/6f636b466df04c8ae0cc24e56b28e51a#L196#L217#L401

4.Double withdrawal attack.

Severity: low

Description

There is a possibility when user accidentally calls the 'AbstractToken.approve(address _spender, uint256 _value)' function, instead of overloaded version from the 'CryptoAdsToken' contract, thereby creating an opportunity for the double withdrawal attack.

Recommendation

Change the 'AbstractToken.approve(address _spender, uint256 _value)' access classifier to 'internal'.

Conclusion

No critical vulnerabilities were detected ,but we highly recommend to complete other bugs before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.