This is the report from a security audit performed on Huobi Token (HT) by gorbunovperm.
Audit Top 200 CoinMarketCap tokens.
In total, 2 issues were reported including:
-
0 high severity issue.
-
1 medium severity issues.
-
1 low severity issues.
-
0 owner privileges.
-
0 note.
-
It is possible to double withdrawal attack. More details here
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
Add into a function transfer(address _to, ... )
following code:
require( _to != address(this) );
From ERC-20 specification:
The function SHOULD
throw
if the_from
account balance does not have enough tokens to spend.
But in this implementation it just returns false
. This can lead to serious consequences. Because checking the return value of this function is rare.
For example, external contract may use this token contract as:
HTToken.transferFrom(recipient, this, value);
points[recipient] += value;
In this case recipient can get any value of points, but he may not have enough money and the code will succeed.
transfer()
, line 53transferFrom()
, line 63
The function SHOULD
throw
if the_from
account balance does not have enough tokens to spend.
There are some vulnerabilities were discovered here.