CryptoAds Token (CRAD) security audit, conducted by the Callisto Network Security Department in April 2019.
CryptoAds (CRAD) Specificities
Audit Request
CRAD CASH using for CryptoAds project.
Source Code:
Disclosure policy:
Public and alex@cfc.io
Platform:
ETH.
Number of lines:
141.
Token desription:
Symbol : CRAD
Name : CRAD CASH
Total supply: 100,000,000
Decimals : 18
Standard : ERC20/ERC223
CryptoAds Token (CRAD) Smart Contract Security Audit Report
Are Your Funds Safe?
1. In scope
2. Findings
In total, 6 issues were reported including:
-
2 medium severity issues.
-
3 low severity issues.
-
1 notes.
2.1. ERC223 & ERC20 Implementation
Severity: medium.
Description:
-
Implementing both ERC20 & ERC223 in the same contract like it is done in Crad Cash token does not make sense since the implementation still allow token transfer to contracts that may handle token transfers using
transfer(address _to, uint256 _value)
, when in a normal ERC223 implementationtransfer(address _to, uint256 _value)
will still calltransfer(address _to, uint _value, bytes memory _data)
by just adding and empty_data
array.This implementation does not prevent contracts and dapps or users to transfer tokens to contract since the most used function is
transfer(address _to, uint256 _value)
and nottransfer(address _to, uint256 _value, bytes memory _data)
. all related issues with ERC20 that ERC223 solves are still applicable.
Code snippet:
https://gist.github.com/RideSolo/ab90f1c3a8808fd1ab7f286d4152fc76#file-crad-sol-L146
2.2. ERC223 Transfer
Severity: medium.
Description:
-
When calling
transfer(address _to, uint _value, bytes memory _data)
function, if_to
address is a contracttokenFallback
is called before assigning the tokens to the contract balance, which will cause compatibiity issues since the ERC223 standard calltokenFallback
after assigning the tokens to the contract address, check here for more details.
Code snippet:
2.3. Transfer Event
Severity: low.
Description:
A transfer event should be triggered when initializing owner balance.
Code snippet:
https://gist.github.com/RideSolo/ab90f1c3a8808fd1ab7f286d4152fc76#file-crad-sol-L175#L179
2.4. Fallback Function
Severity: note.
Description:
-
Any ether that is sent through the fallback function to the contract is forwarded to the contract owner, developers should explain such logic.
Code snippet:
https://gist.github.com/RideSolo/ab90f1c3a8808fd1ab7f286d4152fc76#file-crad-sol-L180
2.5. Transfer to 0x0 Address
Severity: low.
Description:
-
transfer(address _to, uint _value, bytes memory _data)
does not prevent from sending tokens to 0x0 address.
Code snippet:
https://gist.github.com/RideSolo/ab90f1c3a8808fd1ab7f286d4152fc76#file-crad-sol-L146
Recommendation:
Add a requirements to check if _to
address is different then address(0)
.
2.6. Known vulnerabilities of ERC-20 token
Severity: low.
Description:
-
It is possible to double withdrawal attack. More details here.
-
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Recommendation:
Add the following code to the transfer(_to address, ...)
function:
require( _to != address(this) );
3. Conclusion
The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.
4.Revealing audit reports
https://gist.github.com/yuriy77k/7cf31491fed613a2957689eac67abb6a
https://gist.github.com/yuriy77k/c95a37906e305d52097cde1b27542e35
https://gist.github.com/yuriy77k/6db564588bbe401a519289efac98ff24
Appendix
Smart Contract Audits by Callisto Network.
Miscellaneous
Our Most Popular Audit Reports.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!