BRICS Token Security Audit Report

Are Your Funds Safe?

Our expert team at Callisto Network has conducted an in-depth security audit of the BRICS Token smart contract. This audit aims to ensure the security of your funds by identifying and assessing any potential vulnerabilities. Here, we present our findings:

0
Total Finding(s)
0 - Hight severity issue(s)
0 - Medium severity issue(s)
0 - Low severity issue(s)
2 note(s)
8 owner privilege(s)

Executive Summary

This report presents the results of the security audit conducted by the Callisto Network Security Department on the BRICS Token smart contract in September 2023. It analyzes the contract’s security posture in-depth and highlights any identified vulnerabilities.

1. Scope of the Audit

Source Code:

The audit focused on the following BRICS contract:

2. Audit Findings

Our audit reported a total of O finding(s), categorized as follows:

  • 0 high-severity issue(s).
  • 0 medium severity issue(s).
  • 0 low-severity issue(s).

In addition to these findings, our audit identified 10 additional points, detailed in the following sections:

  • 2 note(s).
  • 8 owner privilege(s).

2.1 Missing Events Access Control

null

Severity:

Note.
null

Description:

Detect missing events for critical access control parameters.

null

Recommendation

Emit an event for critical parameter changes.

2.2 Owner Privileges

null

Severity:

Owner Privileges.
null

Description:

BlackList

  1. The addBlackList function restricts token transfers for the user.
  2. The destroyBlackFunds function resets the user’s account to zero.

Pausable

  1. The pause function allows the owner to stop the transfer and transferFrom operations.

BRICSChainToken

  1. The deprecate function allows the owner to change the address of the token at any time.
  2. The issue, mint, mintTo functions allow the owner to issue an unlimited number of tokens.
  3. The redeem function allows the owner to burn tokens, but no more than balances[owner].
  4. The setParams function allows the owner to change basisPointsRate and maximumFee, but not more than 20 and 50 respectively.
  5. The recoverTokens function allows the owner to withdraw tokens after an upgrade.

null

Recommendation

Since the owner has unlimited rights to do everything, ownership must be given to a contract with multiple signatures.

2.3 Follow Good Coding Practice

null

Severity:

Note.
null

Description:

  1. Unlocked Pragma.

Contracts should be deployed using the same compiler version/flags with which they have been tested. Locking the floating pragma, i.e., by not using ^ in pragma solidity ^0.4.17, ensures that contracts do not accidentally get deployed using a compiler version with unfixed bugs.

  1. Missing Docstrings.

The contracts in the code base lack documentation. This hinders reviewers’ understanding of the code’s intention, which is fundamental to correctly assessing security and correctness. Additionally, docstrings improve readability and ease maintenance. They should explicitly explain the purpose or intention of the functions, the scenarios under which they can fail, the roles allowed to call them, the values returned, and the events emitted.

Consider thoroughly documenting all functions (and their parameters) that are part of the contracts’ public API. Functions implementing sensitive functionality, even if not public, should also be documented. Consider following the Ethereum Natural Specification Format (NatSpec) when writing docstrings.

  1. Missing Test Suite.

The contract is missing a test suite to validate and verify the behavior of the contract functionalities. Add tests are recommended to ensure the contract functions and behaves as expected.

  1. Functions Not Used Internally Could Be Marked As External.

It’s a good coding practice to mark a function external when it’s not called within the contract but only from outside the contract.

3. Security Practices

4. Conclusion

The audited smart contract can be deployed. No security issues were found during the audit.

Users should pay attention to unlimited owner’s privileges.

It is recommended to adhere to the security practices described in pt. 4 of this report to ensure the contract’s operability and prevent any issues that are not directly related to the code of this smart contract.

5. Previous Audit Report

6. CLO Coin Buyback & Burn Strategy

In each smart contract audit, the Callisto Security Department directly boosts CLO’s value by allocating a portion of the audit’s revenue for a CLO coin buyback and burn. This adds another layer of utility for our community.

For this audit of BRICS Token:

  • Buyback Funds: 200 USD
  • CLO Coins Purchased: To be announced.

These purchased coins were subsequently burned, reducing CLO’s total supply and enhancing its value for all holders.

Verify Transactions:

  • Transfer of 200 USD to Bitfinex. (To be announced.)
  • Purchase and burn of CLO coins. (To be announced.)

The buyback and burn strategy directly ties our Security Department’s success to CLO’s value, adding another layer of utility for our community. For more details, see our GitHub.

About Callisto Network

Founded by Dexaran,  co-founder of Ethereum Classic, Callisto Network is a blockchain platform that prioritizes security. We’ve conducted over 330 smart contract audits across platforms like Ethereum, Ethereum Classic, and EOS. In addition to our audits, we’ve developed the ERC 223 token standard and CallistoNFT standard, enhancements over existing standards that address flaws and offer new capabilities, further establishing us as industry leaders in crypto-security.

Trust The Blockchain, Audit Your Smart Contracts.