LCX Token (LCX) security audit, conducted by the Callisto Network Security Department in August 2019.


 

LCX (LCX) Specificities

 

 

 

Audit Request

Smart Contract Audit for Listing on Exchanges.

The previous audited source code contains TokenVesting and lcxToken contracts but at address 0x037a54aab062628c9bbae1fdb1583c195585fe41 was deployed only lcxToken contract which has no high severity issues.

In this audit, please, check the updated TokenVesting contract.

Website:

https://www.lcx.com/

Source Code:

Disclosure policy:

Standard disclosure policy.

Contact Information:

anurag@lcx.com

Platform:

ETH.

Number of lines:

220 (110 points for reaudit #348).

 


LCX Token (LCX) Smart Contract Security Audit Report

Are Your Funds Safe?


 

1. In scope

2. Findings

In total, 5 issues were reported including:

  • 3 low severity issues.
  • 2 owner privileges (the ability of an owner to manipulate contract, may be risky for investors).

2.1. Owner Privileges

Severity: Owner privileges

Description:

  • Contract owner allow himself to:
  1. Upgrade the token contract and implement any logic in the new contract:
    function setTokenAddress(IERC20 token) public onlyOwner returns(bool){
        LCXToken = token;
        return true;
    }      
  1. Revoke the vesting, and take users tokens for himself even if the tokens were bought by the users using ETH or a different asset.
    function revoke(address account) public onlyOwner {
        VestedToken storage vested = vestedUser[account];
        require(!vested.revoked);
        uint256 balance = vested.totalToken;
        uint256 vestedAmount = _vestedAmount(account);
        uint256 refund = balance.sub(vestedAmount);
        require(refund > 0);
        vested.revoked = true;
        vested.totalToken = vestedAmount;
        LCXToken.safeTransfer(owner(), refund);
        emit VestingRevoked(account);
    }

2.2. No checking for zero address

Severity: low.

Description:

  • Incoming addresses should be checked for an empty value(0x0 address).

Code snippet:

 

2.3. Bypassing Smart Contract Timelocks

Severity: low.

Description:

There are no checks that the beneficiary address can be a contract address.

Example:

The user was able to divest himself of his interest even though the tokens never moved. He didn’t sell the timelocked tokens itself. He sold the future ownership of the tokens.
The user is asked by the deployer of the LCX vesting contract for the address where he’d like to receive his tokens after the releaseTime expires in 3 years.
User deploys the “Bypasser” contract and gives its address to the deployer of the LCX vesting contract. The Bypasser contract didn’t magically make the timelocked tokens transferable — it made the future ownership of the timelocked tokens transferable.

More details here.

Code snippet:

https://github.com/tech-lcx/LCX-Smart-Contract/blob/1021bf8e087d1c3bd56ddc9f7f117e5d94a727ca/vestingToken.sol#L287-L298

        function _setVesting(address account, uint256 amount, uint256 cliff, uint256 duration, uint256 startAt) internal {
         
         require(account!=address(0));
         require(cliff<=duration);
         VestedToken storage vested = vestedUser[account];
         vested.cliff = cliff;
         vested.start = startAt;
         vested.duration = duration;
         vested.totalToken = amount;
         vested.releasedToken = 0;
         vested.revoked = false;
         }

2.4. Known vulnerabilities of ERC-20 token

Severity: low.

Description:

  • Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.

Recommendation:

Add the following code to the transfer(_to address, ...) function:

require( _to != address(this) );

3. Conclusion

The audited smart contract can be deployed. Only low severity issues were found during the audit.

4.Revealing audit reports

https://gist.github.com/yuriy77k/d2acf4c4207940beb4e7e713c03ce357

https://gist.github.com/yuriy77k/b09a26298f55608e3fc519523ada2625

https://gist.github.com/yuriy77k/580a8a837ce98fcc6dcf7c8ccbe9b436

Appendix

Smart Contract Audits by Callisto Network.

Miscellaneous

Why Audit Smart Contracts?

Our Most Popular Audit Reports.


Trust the Blockchain, Audit the Smart Contracts.


Follow Callisto’s Security Department on Twitter to get our latest news and updates!