Twinci Token security audit, conducted by the Callisto Network Security Department during May 2021.
Twinci Token Security Audit Report
Are Your Funds Safe?
1. Summary
Twinci Token smart contract security audit report performed by Callisto Security Audit Department
Twinci Token is a Burnable BEP20 with Fixed supply 5.000.000 tokens, it is a main token for app.twinci.io project
The token is locked in a Vesting contract with 3.000.000 tokens in 365 days where:
- Developer: receive 25% (750.000 TWIN), every day the system will release 1/365 of 750.000 TWIN
- Marketing: receive 40% (1.200.000 TWIN), every day the system will release 1/365 of 1.200.000 TWIN
- Eco system: receive 35 % (1.050.000 TWIN), lock in 365 days and release one time when lock time is over
Anyone can call claim methods but the receiver addresses are fixed.
- Website: https://twinci.io/
- FB: https://www.facebook.com/twinciio/
- Twitter: https://twitter.com/twinciio
- Telegram: https://t.me/twinciio_chat
- Instagram: https://www.instagram.com/twinci.io/
- Discord: https://discord.gg/QmZrtr6VYc
- Youtube: https://www.youtube.com/c/Twinci
- Medium: https://twinci.medium.com/
- Github: https://github.com/twinciio
2. In scope
- Token: https://bscscan.com/address/0xAF83F292fcED83032f52ced45ef7DBDdb586441a#code
- Vesting Contract: https://bscscan.com/address/0x08582ffe7df4400b2dd966fC78BC2bBe81e9b905#code
3. Findings
In total, 2 issues were reported including:
- 1 low severity issue.
- 1 note.
No critical security issues were found.
3.1 Known vulnerabilities of BEP-20 token
Severity: low.
Description:
Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Recommendation
Add the following code to the transfer(_to address, ...) function:
require( _to != address(this) );
ERC20 is a widely used standard across the Ethereum ecosystem. It is reasonable to assume that ERC20 tokens could be “accidentally” deposited to this contract even though it is not intentional.
Every user on the entire Ethereum ecosystem can send ERC20 tokens to this contract and he will have no ability to extract it back unless there is a special “ERC20-rescue” function implemented in your contract. It is advised to implement this function.
Example: here is BAT contract address. As you can see the contract itself holds $497,000 worth of different ERC20 tokens – all these tokens are permanently “stuck” inside the contract and therefore uselessly lost.
Recommendation
A simple “ERC20-rescue” function can solve the problem.
interface IERC20 {
function transfer(address _to, unit _amount);
}
function rescueERC20(address _token, uint256 _amount) external onlyOwner {
IERC20(_token).transfer(owner(), _amount);
}
3.2 Unnecessary gas wasting.
Severity: note.
Description:
In the contract TwinciVestingContract the function erc20safeTransferFrom() member of ERC20TransferProxy contract used for transfer token from contract address to destination address. But in compare with token.transfer(to) function it require much more Gas due using cross-contract calls and calling approve() function.
Also, calling the function erc20safeTransferFrom() required that caller (TwinciVestingContract contract) should has an Operator role. That means that Owner may remove Operator role from TwinciVestingContract contract and disallow token transferring from it.
4. Conclusion
The audited smart contract can be deployed. Only low severity issues were found during the audit.
Appendix
Smart Contract Audits by Callisto Network.
Miscellaneous
Our Most Popular Audit Reports.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!