This is the report from a security audit performed on Gigzi by gorbunovperm.
The smart contract allows the Central Authority (CA) to issue tokens backed by precious metals.
- FeeableToken.sol
- GigBlack.sol
- GigCrowdsale.sol
- GigGold.sol
- GigPlatinum.sol
- GigSilver.sol
- Migrations.sol
In total, 3 issues were reported including:
-
0 high severity issue.
-
1 medium severity issues.
-
1 low severity issues.
-
1 minor observations.
Issues for GigBlack.sol
function approve(address _spender, uint256 _value) public returns (bool) {
allowed[msg.sender][_spender] = _value;
emit Approval(msg.sender, _spender, _value);
return true;
}Changing an allowance with this method brings the risk that someone may use both the old and the new allowance by unfortunate transaction ordering.
One possible solution to mitigate this race condition is to first reduce the spender's allowance to 0 and set the desired value afterwards: ethereum/EIPs#20 (comment)
function processTransfer(address _from, address _to, uint256 _value) internal returns (bool) {
// update rewards before transfer
updateAccountReward (_from);
updateAccountReward (_to);
FeeableToken.processTransfer (_from, _to, _value);
}processTransfer function of GigBlack contract calls override and call parent function of FeedableToken contract. Parent function returns true, but GigBlack processTransfer doesn't have a return keyword and by default always return false. This can distort the logic of the application.
Use return FeeableToken.processTransfer (_from, _to, _value); for right result.
Several places in code. Just example:
accInfo.rewardAccum = prevAccum + balanceOf(accInfo.accountAddress) * rewardPeriod;It will be good to prevent possible overflow.
Use SafeMath library functions.
Serious vulnerabilities in the contract were not found.