Pundi X (NPXS) Token security audit report
Audit Top 200 CoinMarketCap tokens.
In total, 6 issues were reported including:
0 critical severity issue.
0 high severity issue.
3 medium severity issues.
2 low severity issues.
1 owner privileges.
0 minor observations.
1. Known vulnerabilities of ERC-20 token
It is possible to double withdrawal attack. More details here
Add into a function
transfer(address _to, ... ) following code:
require( _to != address(this) );
2. Owner Privileges
Severity: owner privileges
The owner receives funds immediately after the purchase of tokens. It should be available after the end of crowdsale. Otherwise, the owner has the opportunity to buy tokens for the same money. (line 149)
WithdrawVaultcontracts is managed manually by the owner and are not integrated with the
Crowdsalecontract which is not good for investors. (lines 200 and 446)
The contract owner allowed to pause transfer functions (
transferFrom). (lines 541-545)
The owner can finish minting whenever he wants. Related with issue #4. (line 401)
3. ERC20 Compliance: event missing
According to ERC20 standard when burning coins a transfer event should be emitted. In this case the
Burn event is emitted, it is better to additionally use
emit Transfer(msg.sender, address(0), value);
Crowdsale contract is not associated with a NPXS token contract
Crowdsale contract creates a token contract which used for Crawdsale. But this created token contract is not
NPXSToken but just
stopReceive is not implemented for
stopReceive mechanism is used for
transfer function but not implemented for
transferFrom function. It is possibler to
approve funds to yourself and send through
transferForm without any restrictions.
6. ERC223 Compliance, transferAndCall issues
Judging by the call of the
tokenFallbackfunction, this token should support the ERC223 standard. But in this case it should be called in the
transferfunction also. And should to check whether the recipient is a contract. And function
transfer(address, uint, bytes)should be implemented. Please, read this
transferAndCallfunction this token should support the ERC677 standard. But in this case it should call
tokenFallbackfunction. And should to check whether the recipient is a contract. Please, read this
transferAndCallfunction not use
whenNotPausedmodifier and tokens may be transfered even if contract is paused.
There are some vulnerabilities were discovered in these contracts.