Basic Attention Token (BAT) security audit, conducted by the Callisto Network Security Department in April 2019.
Basic Attention Token (BAT) Specificities
Audit Request
Audit Top 200 CoinMarketCap tokens.
Symbol : BAT
Name : Basic Attention Token
Circulating supply: 1,244,766,783
Total supply: 1,500,000,000
https://basicattentiontoken.org/
Deployed at:
https://etherscan.io/address/0x0d8775f648430679a709e98d2b0cb6250d2887ef#code
Source Code:
https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c
Disclosure polic:
Public.
Platform:
ETH.
Number of lines:
129.
Basic Attention Token (BAT) Smart Contract Security Audit Report
Are Your Funds Safe?
1. In scope
2. Findings
In total, 4 issues were reported including:
-
1 medium severity issues.
-
3 low severity issues.
No critical security issues were found.
2.1. Known vulnerabilities of ERC-20 token
Severity: low.
Description:
- It is possible to double withdrawal attack. More details here.
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Recommendation:
Add the following code to the
transfer(_to address, ...)
function:
require( _to != address(this) );
2.2. ERC20 Compliance — transfer should throw
Severity: medium.
Description:
-
From ERC-20 specification:
The function SHOULD
throw
if the_from
account balance does not have enough tokens to spend.But in this implementation of
transfer
andtransferFrom
it just returnsfalse
. This can lead to serious consequences. Because checking the return value of this function is rare.
For example, external contract may use this token contract as:BatToken.transferFrom(recipient, this, value); points[recipient] += value;
In this case recipient can get any value of points, but he may not have enough money and the code will succeed.
Code snippet:
https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L54
https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L66
2.3. ERC20 Compliance — zero-value transfers rejecting
Severity: low.
Description:
EIP20 says that:
Transfers of 0 values MUST be treated as normal transfers and fire the Transfer event.
But in this contract, functiontransfer
andtransferFrom
has a condition:
if (balances[msg.sender] >= _value && _value > 0) {
// ...
}
Code snippet:
https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L48
https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L59
2.4. ERC20 Compliance — event missing
Severity: low.
Description:
-
According to ERC20 standard when coins are minted a
Transfer
event should be emitted. -
The
createTokens
function also should emit theTransfer
event.
Code snippet:
https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L127
https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L145
3. Conclusion
The audited smart contract has some issues with ERC20 Compliance that could cause losing the money in a particular situation. We recommend fixing these issues.
4. Revealing audit reports
- https://gist.github.com/yuriy77k/3ed8070ea3428c085ff2b41d015f92ba
- https://gist.github.com/yuriy77k/24e1f3af18913586b8cbddc5338eb68f
- https://gist.github.com/yuriy77k/f3ea10397d674838538698e1249048ea
Appendix
Smart Contract Audits by Callisto Network.
Miscellaneous
Our Most Popular Audit Reports.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!