PHI Token (PHI) Security Audit Report

Here is the report of the PHI Token (PHI) Security Audit performed by the Callisto Network security department in October 2018.
About Callisto Network and the security department:
Utilizing Callisto Network capabilities, we have established a free-for-all system of smart-contracts auditing, to this end, Callisto Network has founded the Callisto security department and deploys treasury funds to pay security auditors for auditing smart-contracts, to reduce risk/flaw in smart-contracts and improve the adoption of programmable blockchains for the whole crypto industry.
PHI Token (PHI) Specificities :
Source Code:
https://github.com/vpomo/TokenPHI/tree/master/contracts
Platform:
ETH
PHI Token (PHI) Security Audit Report
1. Summary
PHI Token security audit report performed by Callisto Security Audit Department
2. In scope
- PHICrowdsale.sol github commit hash c0eeedc616935ce2cf72191567c05bc705e983a1.
3. Findings
In total, 6 issues were reported including:
- 2 medium severity issues.
- 3 low severity issues.
- 1 minor observation.
No critical security issues were found.
3.1. Token Minting
Severity: Medium
Description
-
mint(address _to, uint256 _amount, address _owner)
function does not mint tokens but rather transfer tokens from_owner
address to_to
this allow transfer of tokens from any address to another address.
mint
is marked as internal, its usage is limited inside the contract and it won’t harm any investor. -
When the ICO end, if owner doesn’t call
ownerBurnToken
the allocated tokens for the crowdsale will be kept by the owner in his wallet, since mint do not really mint but just transfer tokens fromaddressFundReferal
orowner
addresses. -
mintingFinished
member ofMintableToken
contract, is not intended be set totrue
at any moment inside all the Token and ICO logic.
Code snippet
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L243#L253
3.2. ICO Rates
Severity: medium
Description
If a user buy tokens during the pre-ICO expecting ratePreIco
to be applied and the tokenAllocated
is higher than limitPreIco
than the used rate will be rateIco
, resulting in an amountOfTokens
lower than expectations.
Code snippet
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L385#L395
3.3. ICO Phases Time
Severity: low
Description
ICO phases can be started, extended or stoped at the owner will.
Code snippet
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L495#L500
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L507#L512
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L518#L523
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L529#L533
3.4. Minting Event
Severity: low
Description
mintForFund
should emit Mint
event after adding fund value to every address.
Code snippet
https://github.com/RideSolo/TokenPHI/blob/master/contracts/PHICrowdsale.sol#L443#L456
3.5. Known Issues of ERC20 Standard
Severity: low
Description
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
3.6. Different data in docs and code.
Severity: minor observation
Description
According to documentation there is 60 000 000 tokens for sale, but in code there is 60 250 000
Recommendation
Please provide correct data and re-check all the values.
4. Conclusion
Smart contracts are intended to be more autonomous than centralized applications, Crowdsale functions should be more decentralized to fully benefit from the trustless nature of the ethereum blockchain.
Multiple issues have been raised, the contract developers should fix them before deployment.
5. Revealing audit reports
https://gist.github.com/yuriy77k/ed0c84ab3aab76310a94268b3115e6b9
https://gist.github.com/yuriy77k/05801fb042a3ad801f75e3ba7e55d390
https://gist.github.com/yuriy77k/6f4652404b25815ce2e7e6b59be9c4e8