This is the report from a security audit performed on Ethereum Bills of Exchange by codeblcks. The aim of this contract is to create a mechanism to draw, transfer and accept negotiable instruments that that will be recognized as bills of exchange. Bills of exchange created with this smart contract are payable to the bearer, and can be transferred using Ethereum blockchain (from one blockchain address to another).
The audit primarily focuses on the security of funds and ensures proper use of ERC20, ERC223 and ERC667 token standards in contract. Throughout the audit of smart contracts care was taken to ensure:
- Overall quality of code.
- Use of best practices.
- Code documentation and comments match logic and expected behavior.
- Token distribution and calculations are as per intended behavior mentioned in whitepaper.
- Implementation of token standards.
- Efficient use of gas.
- Code is safe from re-entrancy and other vulnerabilities.
The following techniques, methods and tools were used to review all the smart contracts.
-
Structural Analysis In this step we have analyzed the design patterns and structure of smart contracts. A thorough check was done to ensure Smart contract is structured in a way that will not result in future problems.
-
Static Analysis Static Analysis of Smart Contracts was done to identify contract vulnerabilities. In this step series of automated tools are used to test security of smart contracts.
-
Code Review / Manual Analysis Manual Analysis or review of code was done to identify new vulnerability or verify the vulnerabilities found during the static analysis. Contracts were completely manually analyzed, their logic was checked and compared with the one described in the whitepaper. Besides, the results of automated analysis were manually verified.
-
Gas Consumption In this step we have checked the behavior of smart contract in production. Checks were done to know how much gas gets consumed and possibilities of optimization of code to reduce gas consumption.
In total, 3 issues were reported including:
- 3 low severity issues. No critical security issues were found.
Line 409 has no visibility specifier: mapping(address => bool) isAdmin; It is strongly recommended to adhere to the same coding standard when developing important components of blockchain systems.
The default visibility level in Solidity is public. Explicitly define visibility to prevent confusion. Implement a public visibility specifier for line 409.
uint
is an alias for uint256
, but using the full form is preferable. Be consistent and use one of form.
Replace ‘uint’ with ‘uint256’. Line 129, 255, 387, 393, 560.
bytes uses less gas than string datatype. For constant values smaller than 32 bytes, give preference for a bytes8/16/32 type, since they are much cheaper than string types, which are dynamically sized.
Replace string with bytes in BillsOfExchange contract.
Bills of Exchange contracts are in ready to use condition. At the time of the audit, the development of this contracts is considered complete. The last fixation was made on May 26, 2019. The last commit was made at 26 May 2019. Bug Bounties were not conducted. Any further changes to the contracts will leave them in unaudited state.
Overall, the contracts are very well written and adhere to the guidelines. Few low priority issues were found during the audit. It's strongly advised that these issues are corrected before proceeding.
This audit is not a security warranty, investment advice, or an endorsement of the Cryptonomica platform. This audit does not provide a security or correctness guarantee of the audited smart contracts. The statements made in this document should not be interpreted as investment or legal advice, nor should its authors be held accountable for decisions made based on them. Securing smart contracts is a multistep process. One audit cannot be considered enough. We recommend that the team put in place a bug bounty program to encourage further analysis of the smart contract by other third parties.