Basic Attention Token (BAT) Security Audit Report
Are Your Funds Safe?
Our expert team at Callisto Network has conducted an in-depth security audit of the Basic Attention Token (BAT) smart contract. This audit aims to ensure the security of your funds by identifying and assessing any potential vulnerabilities. Here, we present our findings:
Executive Summary
This report presents the results of the security audit conducted by the Callisto Network Security Department on the Basic Attention Token (BAT) smart contract in April 2019. It analyzes the contract’s security in-depth and highlights any identified vulnerabilities.
1. Scope of the Audit
The audit focused on the following Basic Attention Token (BAT) contract:
2. Audit Findings
Our audit reported a total of 4 finding(s), categorized as follows:
- 0 high-severity issue(s).
- 1 medium severity issue(s).
- 3 low-severity issue(s).
No critical security issues were found.
2.1 Known Vulnerabilities of ERC-20 Token
- The smart contract is susceptible to double withdrawal attacks. Learn more about this type of attack here.
- The contract lacks a transaction handling mechanism. WARNING! This common vulnerability has already led to significant financial losses. For a comprehensive understanding of this issue, click here.
[/bsf-info-box][bsf-info-box icon_type=”custom” icon_img=”id^11679|url^https://callisto.network/wp-content/uploads/2023/04/star-svgrepo-com.png|caption^null|alt^null|title^star-svgrepo-com|description^null” img_width=”20″ icon_animation=”fadeIn” title=”Recommendation”]
Add the following code to the
transfer(_to address, ...)
function:require( _to != address(this) );
[/bsf-info-box]
2.2 ERC20 Compliance — transfer should throw
The function SHOULD throw
if the _from
account balance does not have enough tokens to spend.
But in this implementation of transfer
and transferFrom
it just returns false
. This can lead to serious consequences. Because checking the return value of this function is rare.
For example, external contract may use this token contract as:
BatToken.transferFrom(recipient, this, value);
points[recipient] += value;
In this case, the recipient can get any value of points, but he may not have enough money and the code will succeed.[/bsf-info-box][bsf-info-box icon_type=”custom” icon_img=”id^11678|url^https://callisto.network/wp-content/uploads/2023/04/Mask-Group-7.png|caption^null|alt^null|title^Mask Group 7|description^null” img_width=”20″ icon_animation=”fadeIn” title=”Code Snippet:”]
- https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L54.
- https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L66.
[/bsf-info-box]
2.3 ERC20 Compliance — zero-value transfers rejecting
Transfers of 0 values MUST be treated as normal transfers and fire the Transfer event.
But in this contract, function transfer
and transferFrom
has a condition:
if (balances[msg.sender] >= _value && _value > 0) {
// ...
}
[/bsf-info-box][bsf-info-box icon_type=”custom” icon_img=”id^11678|url^https://callisto.network/wp-content/uploads/2023/04/Mask-Group-7.png|caption^null|alt^null|title^Mask Group 7|description^null” img_width=”20″ icon_animation=”fadeIn” title=”Code Snippet:”]
- https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L48.
- https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L59.
[/bsf-info-box]
2.4 ERC20 Compliance — event missing
- According to the ERC20 standard when coins are minted a
Transfer
event should be emitted. - The
createTokens
function also should emit theTransfer
event.
[/bsf-info-box][bsf-info-box icon_type=”custom” icon_img=”id^11678|url^https://callisto.network/wp-content/uploads/2023/04/Mask-Group-7.png|caption^null|alt^null|title^Mask Group 7|description^null” img_width=”20″ icon_animation=”fadeIn” title=”Code Snippet:”]
- https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L127.
- https://gist.github.com/yuriy77k/9f8fcc78745cf81e3aff92da724b3d5c#file-batoken-sol-L145.
[/bsf-info-box]
3. Conclusion
The audited smart contract has some issues with ERC20 Compliance that could cause money loss in a particular situation. We recommend fixing these issues.
About Callisto Network
Founded by Dexaran, co-founder of Ethereum Classic, Callisto Network is a blockchain platform that prioritizes security. We’ve conducted over 330 smart contract audits across platforms like Ethereum, Ethereum Classic, and EOS. In addition to our audits, we’ve developed the ERC 223 token standard and CallistoNFT standard, enhancements over existing standards that address flaws and offer new capabilities, further establishing us as industry leaders in crypto-security.
