3. Conclusion
The audited smart contract can be deployed. Only low severity issues were found during the audit.
4. Revealing audit reports
- https://gist.github.com/yuriy77k/b228e8df2aa47aef84e91423dd340894
- https://gist.github.com/yuriy77k/ee463004023c4caee3b36bea30deb32f
- https://gist.github.com/yuriy77k/b15d652f64211b51711f0648cdab6000
Appendix
Smart Contract Audits by Callisto Network.
Miscellaneous
Our Most Popular Audit Reports.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!
Binance Token (BNB) security audit, conducted by the Callisto Network Security Department in March 2019.
Binance Token (BNB) Specificities
Audit Request
Audit Top 200 CoinMarketCap tokens.
Symbol : BNB Name : Binance Token
Circulating supply: 141 175 490
Total Supply: 189 175 490
Max Supply: No Data
Deployed at:
https://etherscan.io/address/0xB8c77482e45F1F44dE1745F52C74426C631bDD52#code
Source Code:
https://gist.github.com/yuriy77k/7612e9b1f915f169542e711dd6a29166
Disclosure policy
Public.
Platform:
ETH.
Number of lines:
119.
Binance Token (BNB) Smart Contract Security Audit Report
Are Your Funds Safe?
1. In scope
2. Findings
In total, 5 issues were reported including:
-
5 low severity issues.
No critical security issues were found.
2.1. Known vulnerabilities of ERC-20 token
Severity: low.
Description:
- It is possible to double withdrawal attack. More details here.
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Recommendation:
Add the following code to the
transfer(_to address, ...)function:
require( _to != address(this) );
2.2. ERC20 Compliance — event missing
Severity: low.
Description:
-
According to ERC20 standard when coins are minted a
Transferevent should be emitted. -
There is no
Approvalevent call atapprovefunction. And EIP20 says:
MUST trigger on any successful call to approve(address _spender, uint256 _value).
- The
burnfunction also should emit theTransferevent.
Code snippet:
2.3. ERC20 Compliance — zero-value transfers rejecting
Severity: low.
Description:
EIP20 says that:
Transfers of 0 values MUST be treated as normal transfers and fire the Transfer event.
But in this contract, functiontransferhas a condition:
if (_value <= 0) throw;
Code snippet:
2.4. Default approve value
Severity: low.
Code snippet:
Description:
- There is no way to reset approved value to 0, because
approvefunction contains:
if (_value <= 0) throw;
- Also it breaks the EIP20 security recommendation:
To prevent attack vectors like the one described here and discussed here, clients SHOULD make sure to create user interfaces in such a way that they set the allowance first to 0 before setting it to another value for the same spender. THOUGH The contract itself shouldn’t enforce it, to allow backwards compatibility with contracts deployed before.
2.5. Fallback Function
Severity: low.
Description:
Any ether sent directly to the contract through the fallback function will not result in an automatic buy of tokens but instead is directly sent to the contract balance.
Code snippet:
3. Conclusion
The audited smart contract can be deployed. Only low severity issues were found during the audit.
4. Revealing audit reports
- https://gist.github.com/yuriy77k/b228e8df2aa47aef84e91423dd340894
- https://gist.github.com/yuriy77k/ee463004023c4caee3b36bea30deb32f
- https://gist.github.com/yuriy77k/b15d652f64211b51711f0648cdab6000
Appendix
Smart Contract Audits by Callisto Network.
Miscellaneous
Our Most Popular Audit Reports.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!