How to Stake CLO

Cold staking is a protocol that rewards long-term coin holders for staking their Callisto coins.

Basic Attention Token (BAT) Security Audit Report

Basic Attention Token (BAT) Security Audit Report

Here is the report of the Basic Attention Token (BAT) Security Audit performed by the Callisto Network security department in April 2019.

About Callisto Network and the security department

Utilizing Callisto Network capabilities, we have established a free-for-all system of smart-contracts auditing, to this end, Callisto Network has founded the Callisto security department and deploys treasury funds to pay security auditors for auditing smart-contracts, to reduce risk/flaw in smart-contracts and improve the adoption of programmable blockchains for the whole crypto industry.

Basic Attention Token (BAT) specificities

Source code

Disclosure policy




Number of lines


Basic Attention Token (BAT) Security Audit Report

1. Summary

Basic Attention Token (BAT) smart contract security audit report performed by Callisto Security Audit Department

2. In scope

3. Findings

In total, 4 issues were reported including:

  • 1 medium severity issues.
  • 3 low severity issues.

No critical security issues were found.

3.1. Known vulnerabilities of ERC-20 token

Severity: low


  1. It is possible to double withdrawal attack. More details here.
  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.


Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3.2. ERC20 Compliance — transfer should throw

Severity: medium


From ERC-20 specification:

The function SHOULD throw if the _from account balance does not have enough tokens to spend.

But in this implementation of transfer and transferFrom it just returns false. This can lead to serious consequences. Because checking the return value of this function is rare.
For example, external contract may use this token contract as:

BatToken.transferFrom(recipient, this, value);
points[recipient] += value;

In this case recipient can get any value of points, but he may not have enough money and the code will succeed.

Code snippet

3.3. ERC20 Compliance — zero-value transfers rejecting

Severity: low


EIP20 says that:

Transfers of 0 values MUST be treated as normal transfers and fire the Transfer event.
But in this contract, function transfer and transferFrom has a condition:

if (balances[msg.sender] >= _value && _value > 0) {
    // ...

Code snippet

3.4. ERC20 Compliance — event missing

Severity: low


  1. According to ERC20 standard when coins are minted a Transfer event should be emitted.
  2. The createTokens function also should emit the Transfer event.

Code snippet

4. Conclusion

The audited smart contract has some issues with ERC20 Compliance that could cause losing the money in a particular situation. We recommend fixing these issues.

5. Revealing audit reports