aXpire Token (AXPR) security audit, conducted by the Callisto Network Security Department in May 2019.

 

aXpire (AXPR) Specificities

 

 

 

Audit Request

aXpire’s smart contract was created to launch the token, and have some basic functions related to burning tokens.

Source Code:

Disclosure policy:

[email protected]

Symbol:

AXPR

Total supply:

350,000,000.

Decimals:

18.

Standard:

ERC-20.

Number of lines:

240.

 

aXpire Token (AXPR) Smart Contract Security Audit Report

Are Your Funds Safe?

 

1. In scope

2. Findings

In total, 10 issues were reported including:

  • 1 medium severity issues.

  • 4 low severity issues.

  • 5 owner privileges (the ability of an owner to manipulate contract, may be risky for investors)

2.1. ERC-20 Compliance

Severity: medium.

Description:

Following EIP-20 specifications:

  • Transfers of 0 values “MUST” be treated as normal transfers and fire the Transfer event, this issues is applicable for both transfer and transferFrom since if value is equal to 0 the functions do not fire a Transfer event and return false.
  • transfer “SHOULD” throw when the msg.sender doesn’t have enough fund.
  • Same as previously following the specifications transferFrom should throw and not return false if the _from address doesn’t have enough of fund or if the allowed value isn’t enough to cover the transaction _value.

Code snippet:

https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L155

https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L166

2.2. Owner Privileges

Severity: owner privilege.

Description:

Contract owner allows himself to:

  1. Burn from any address, making all users at a critical severity risk, such behavior cannot be accepted by the investors. Once tokens are allocated to and address it belongs only to that address to burn the tokens, check here.
  2. pause/unpause approval/transfer/transferFrom, check here.
  3. halt/unhalt token sale, check here.
  4. Ico can be ended by owner only, check here.
  5. Reset the sale exchange rate at any moment, check here.

2.3. Allowance Approval

Severity: low.

Description:

Following ERC20 standard, approve function “Allows _spender to withdraw from your account multiple times, up to the _value amount. If this function is called again it overwrites the current allowance with _value.”. However, the implemented function throw in case if allowed[msg.sender][_spender] is different than zero and _value different than zero. this partially solves double withdrawal attack but create incompatibility for some Dapps, and do not allow the user to directly reduce the allowance creating a race between user and spender.

Code snippet:

https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L183

2.4. Transfer Event

Severity: low.

Description:

Following EIP-20 when “A token contract which creates new tokens SHOULD trigger a Transfer event with the _from address set to 0x0 when tokens are created”.

This issue is related to both constructor and createTokens function since tokens are created and transfer event is not triggered.

Code snippet:

https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L277

https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L317

2.5. Transfer to address(0)

Severity: low.

Description:

Following ERC20 standard, approve function “Allows _spender to withdraw from your account multiple times, up to the _value amount. If this function is called again it overwrites the current allowance with _value.”. However, the implemented function throw in case if allowed[msg.sender][_spender] is different than zero and _value different than zero. this partially solves double withdrawal attack but create incompatibility for some Dapps, and do not allow the user to directly reduce the allowance creating a race between user and spender.

Code snippet:

https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L155

https://gist.github.com/RideSolo/65ca7446379c3d261ca9d2d2e1c7508a#file-axpire-sol-L166

2.6. Known vulnerabilities of ERC-20 token

Severity: low.

Description:

  1. It is possible to double withdrawal attack. More details here.
  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation:

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3. Conclusion

The audited smart contract has issues with ERC20 Compliance and cannot be used as ERC20 token. Reported issues must be fixed prior to the usage of this contract.

4.Revealing audit reports

https://gist.github.com/yuriy77k/d19fc5b0b1b91bd75b4a0d725ecf7c48

https://gist.github.com/yuriy77k/7fd07d4f6f1972916a6734f2c37b200c

https://gist.github.com/yuriy77k/d16d404a58342856e22fdd5e5976f776

Appendix

Smart Contract Audits by Callisto Network.

Miscellaneous

Why Audit Smart Contracts?

Our Most Popular Audit Reports.

Trust the Blockchain, Audit the Smart Contracts.

Follow Callisto’s Security Department on Twitter to get our latest news and updates!