CryptoAds Token (CRAD) security audit, conducted by the Callisto Network Security Department in April 2019.
CryptoAds (CRAD) Specificities
CRAD CASH using for CryptoAds project.
Public and [email protected]
Number of lines:
Symbol : CRAD Name : CRAD CASH Total supply: 100,000,000 Decimals : 18 Standard : ERC20/ERC223
CryptoAds Token (CRAD) Smart Contract Security Audit Report
Are Your Funds Safe?
1. In scope
In total, 6 issues were reported including:
2 medium severity issues.
3 low severity issues.
2.1. ERC223 & ERC20 Implementation
Implementing both ERC20 & ERC223 in the same contract like it is done in Crad Cash token does not make sense since the implementation still allow token transfer to contracts that may handle token transfers using
transfer(address _to, uint256 _value), when in a normal ERC223 implementation
transfer(address _to, uint256 _value)will still call
transfer(address _to, uint _value, bytes memory _data)by just adding and empty
This implementation does not prevent contracts and dapps or users to transfer tokens to contract since the most used function is
transfer(address _to, uint256 _value)and not
transfer(address _to, uint256 _value, bytes memory _data). all related issues with ERC20 that ERC223 solves are still applicable.
2.2. ERC223 Transfer
transfer(address _to, uint _value, bytes memory _data)function, if
_toaddress is a contract
tokenFallbackis called before assigning the tokens to the contract balance, which will cause compatibiity issues since the ERC223 standard call
tokenFallbackafter assigning the tokens to the contract address, check here for more details.
2.3. Transfer Event
A transfer event should be triggered when initializing owner balance.
2.4. Fallback Function
Any ether that is sent through the fallback function to the contract is forwarded to the contract owner, developers should explain such logic.
2.5. Transfer to 0x0 Address
transfer(address _to, uint _value, bytes memory _data)does not prevent from sending tokens to 0x0 address.
Add a requirements to check if
_to address is different then
2.6. Known vulnerabilities of ERC-20 token
It is possible to double withdrawal attack. More details here.
Add the following code to the
transfer(_to address, ...) function:
require( _to != address(this) );
The audited smart contract must not be deployed. Reported issues must be fixed prior to the usage of this contract.
4.Revealing audit reports
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!