aXpire Token (AXPR) Security Audit Report
Are Your Funds Safe?
Our expert team at Callisto Network has conducted an in-depth security audit of the aXpire Token (AXPR) smart contract. This audit aims to ensure the security of your funds by identifying and assessing any potential vulnerabilities. Here, we present our findings:
Executive Summary
This report presents the results of the security audit conducted by the Callisto Network Security Department on the aXpire Token (AXPR) smart contract in May 2019. It analyzes the contract’s security in-depth and highlights any identified vulnerabilities.
1. Scope of the Audit
The audit focused on the following aXpire (AXPR) contract:
2. Audit Findings
Our audit reported a total of 10 finding(s), categorized as follows:
- 0 high-severity issue(s).
- 1 medium severity issue(s).
- 4 low-severity issue(s).
In addition to these findings, our audit identified 5 additional points, detailed in the following sections:
- 0 note(s).
- 5 owner privilege(s).
2.1 ERC-20 Compliance
Following EIP-20 specifications:
- Transfers of 0 values “MUST” be treated as normal transfers and fire the Transfer event; this issue is applicable for both
transfer
andtransferFrom
since ifvalue
is equal to 0, the functions do not fire a Transfer event and return false. transfer
“SHOULD” throw when themsg.sender
doesn’t have enough funds.- Same as previously following the specifications
transferFrom
should throw and not return false if the_from
address doesn’t have enough funds or if the allowed value isn’t enough to cover the transaction_value
.
[/bsf-info-box][bsf-info-box icon_type=”custom” icon_img=”id^11678|url^https://callisto.network/wp-content/uploads/2023/04/Mask-Group-7.png|caption^null|alt^null|title^Mask Group 7|description^null” img_width=”20″ icon_animation=”fadeIn” title=”Code Snippet:”]
- https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L155.
-
https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L166.
[/bsf-info-box]
2.2 Owner Privileges
The contract allows the owner to:
- Burn from any address, making all users at a critical severity risk, such behavior cannot be accepted by the investors. Once tokens are allocated to an address it belongs only to that address to burn the tokens. Check here.
- Pause/unpause
approval/transfer/transferFrom.
Check here. - Halt/unhalt token sale. Check here.
- Ico can be ended by the owner only. Check here.
- Reset the sale exchange rate at any moment. Check here.
[/bsf-info-box]
2.3 Allowance Approval
Following the ERC20 standard, approve
function “Allows _spender to withdraw from your account multiple times, up to the _value amount. If this function is called again, it overwrites the current allowance with _value.”
However, the implemented function throws in case if allowed[msg.sender][_spender]
is different than zero and _value
different than zero. this partially solves the double withdrawal attack but creates incompatibility for some Dapps and does not allow the user to directly reduce the allowance creating a race between the user and spender.
[/bsf-info-box][bsf-info-box icon_type=”custom” icon_img=”id^11678|url^https://callisto.network/wp-content/uploads/2023/04/Mask-Group-7.png|caption^null|alt^null|title^Mask Group 7|description^null” img_width=”20″ icon_animation=”fadeIn” title=”Code Snippet:”]
[/bsf-info-box]
2.4 Transfer Event
Following EIP-20 when “A token contract which creates new tokens SHOULD trigger a Transfer event with the _from
address set to 0x0 when tokens are created”.
This issue is related to both constructor and createTokens
function since tokens are created and the transfer event is not triggered.
[/bsf-info-box][bsf-info-box icon_type=”custom” icon_img=”id^11678|url^https://callisto.network/wp-content/uploads/2023/04/Mask-Group-7.png|caption^null|alt^null|title^Mask Group 7|description^null” img_width=”20″ icon_animation=”fadeIn” title=”Code Snippet:”]
- https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L277.
- https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L317.
[/bsf-info-box]
2.5 Transfer to address(0)
approve
function “Allows _spender to withdraw from your account multiple times, up to the _value amount. If this function is called again, it overwrites the current allowance with _value.”
However, the implemented function throws in case if allowed[msg.sender][_spender]
is different than zero and _value
different than zero. this partially solves the double withdrawal attack but creates incompatibility for some Dapps and does not allow the user to directly reduce the allowance creating a race between the user and spender.[/bsf-info-box][bsf-info-box icon_type=”custom” icon_img=”id^11678|url^https://callisto.network/wp-content/uploads/2023/04/Mask-Group-7.png|caption^null|alt^null|title^Mask Group 7|description^null” img_width=”20″ icon_animation=”fadeIn” title=”Code Snippet:”]
- https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L155.
- https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L166.
[/bsf-info-box]
2.6 Known Vulnerabilities of ERC-20 Token
- The smart contract is susceptible to double withdrawal attacks. Learn more about this type of attack here.
- The contract lacks a transaction handling mechanism. WARNING! This common vulnerability has already led to significant financial losses. For a comprehensive understanding of this issue, click here.
[/bsf-info-box][bsf-info-box icon_type=”custom” icon_img=”id^11679|url^https://callisto.network/wp-content/uploads/2023/04/star-svgrepo-com.png|caption^null|alt^null|title^star-svgrepo-com|description^null” img_width=”20″ icon_animation=”fadeIn” title=”Recommendation”]
Add the following code to the
transfer(_to address, ...)
function:require( _to != address(this) );
[/bsf-info-box]
3. Conclusion
The audited smart contract has issues with ERC20 Compliance and cannot be used as ERC20 token. Reported issues must be fixed prior to the usage of this contract.
About Callisto Network
Founded by Dexaran, co-founder of Ethereum Classic, Callisto Network is a blockchain platform that prioritizes security. We’ve conducted over 330 smart contract audits across platforms like Ethereum, Ethereum Classic, and EOS. In addition to our audits, we’ve developed the ERC 223 token standard and CallistoNFT standard, enhancements over existing standards that address flaws and offer new capabilities, further establishing us as industry leaders in crypto-security.