Table of contents. Abstract. Disclaimer. Scope. Procedure. AS-IS overview. Audit overview. Conclusion. Appendix A. Automated tools reports 12

Similar documents
SECURITY AUDIT REPORT

FanChain Contract Audit

Pillar Token Code Review

Bob s Repair Contract Audit

Security Audit of FuzeX Smart Contract This report is public. ChainSecurity Ltd. January 11, 2018

QIIBEE Security Audit

GUTS Token Sale Audit

SmartDec icumulate.io Smart Contracts Security Analysis

kasko2go Token Contract Audit

TABLE OF CONTENTS 1.0 TOKEN SALE SUMMARY INTRODUCTION HOW TO BUY LION HOW TO BUY LION WITH METAMASK

FXY TOKEN SMART CONTRACT AUDIT RESULTS FOR FIXY NETWORK LTD

MYETHERWALLET GUIDE 1

A Concurrent Perspective on Smart Contracts. 1st Workshop on Trusted Smart Contracts

Smart Contract Security Tips. Ethereum devcon2 Sep Joseph Chow

a new cryptocurrency STK GLOBAL PAYMENTS USER GUIDE USER GUIDE: PARTICIPATING IN IN STK STK TOKEN TOKEN SALE USING SALE MYETHERWALLET

Investing in BIG Token

Declarative Static Analysis of Smart Contracts

Lecture 10. A2 - will post tonight - due in two weeks

Securify: Practical Security Analysis of Smart Contracts

Learn Blockchain Programming. Ali Dorri

Trusted Audit. Trust in Process. Trust in Data. through. Irena Szrek, Director Szrek2Solutions. SMART TECH, April 18, 2007 Szrek2Solutions, LLC Page 1

Gnosis Safe Documentation. Gnosis

COEN 241 Term Project. A Blockchain-based Cloud Service

Ethereum. Smart Contracts Programming Model

TOKEN SWAP FAQ. For action before July 23, 2018.

CLN CLN TOKEN SALE. How to Participate Using MyEtherWallter

Game Guide. Keno Game Guide

Kibo Contract Audit. Prepared by Hosho July 17th, Report Version: 2.0. Copyright 2018 Hosho Group Inc.

CREDITS Web-version 2 Web-version specification CREDITS Desktop Client vs. Web-client What is the CREDITS Wallet? 2 1.

Verification & Validation of Open Source

CS 251: Bitcoin and Cryptocurrencies Fall 2016

FLIP Token (FLP) How to Participate in the FLIP Token (FLP) Sale Event. 1 Disclaimer 2. 2 What You Will Need 2

Guide to a Successful Wanchain Token Contribution

POA Bridge. Security Assessment. Cris Neckar SECUREWARE.IO

CS 251: Bitcoin and Crypto Currencies Fall 2015

cchannel Generalized State Channel Specification

Wormhole: A Smart Contract Solution for Bitcoin Cash

Let s get started. Game guide

For further information about the GRID token sale, please visit gridplus.io/token-sale.

Page Total

Due Date: Two Program Demonstrations (Testing and Debugging): End of Lab

OW TO PARTICIPAT HOW TO PARTICIPATE

Whitepaper Rcoin Global

DTX Token. Starter guide

Token Sale. Participation guide

Introduction to Blockchain

Applied cryptography

Previous Name: D3. Fourth Estate. A secure, decentralized news data storing and sharing solution for journalists

Implementing and Mechanically Verifying Smart Contracts

POLAR INTERNET SHARING, A CONNECTION OF CONSTELLATIONS

Smart!= Secure - Breaking Ethereum Smart Contracts. Elliot Ward & Jake Humphries

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Radix - Public Node Incentives

TABLE OF CONTENTS 1.0 TOKEN SALE SUMMARY INTRODUCTION HOW TO BUY LION HOW TO BUY LION WITH METAMASK

ICO Review: Raiden Network (RDN)

Mehmet İzzet Hacıalioğlu Digital Special Projects & Security Manager

ELECTRONIC RAFFLE SYSTEMS MINIMUM TECHNICAL STANDARDS FOR MEGA RAFFLES

Siebel Project and Resource Management Administration Guide. Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013

HowtobuyHUMToken. Table of Contents. Beforeproceedingwiththepurchase Pre-saleguideusingMyEtherWallet Pre-saleguideusingMetamask

Ethereum Computation Market Documentation

MyCreditChain FAQ. Anyone can download and use the MCC App from the App Store. The procedure is

Approved establishments, which must have a valid liquor license, will pay a $500 annual license fee to offer KENO 603, according to the legislation.

IoT & SCADA Cyber Security Services

LECTURE 2 BLOCKCHAIN TECHNOLOGY EVOLUTION

Smart Contract Security Audit Report. Loopring Protocol Smart Contract version 2

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Vladimir Groshev. COO, Project Coordinator.

[ANALYSIS ASSIGNMENT 10]

Data Subject Data Portability Request Form

CS 142 Style Guide Grading and Details

To receive money, just share your enrolled address or U.S. mobile phone number with a friend and ask them to send you money with Zelle.

Secure Token Development and Deployment. Dmitry Khovratovich and Mikhail Vladimirov, University of Luxembourg and ABDK Consulting

Computer Security. 14. Blockchain & Bitcoin. Paul Krzyzanowski. Rutgers University. Spring 2019

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

How Formal Analysis and Verification Add Security to Blockchain-based Systems

Data Entry Oracle FLEXCUBE Universal Banking Release [May] [2011] Oracle Part Number E

THE ART OF SECURING 100 PRODUCTS. Nir

ENEE 457: E-Cash and Bitcoin

Wanchain Hackathon Handbook San Jose

SYMANTEC DATA CENTER SECURITY

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

Online & Mobile Banking Pilot

Confirmed VPN Privacy Audit and Open Watch Analysis Summary Report and Documentation

MEMBER SERVICE AND TELLER QUESTIONNAIRE

NEW TOKEN SWAP INSTRUCTIONS For action after July 23, 2018.

An improved security model for identity authentication against cheque payment fraud in Tanzanian banks

Intermediate Math Circles February 07, 2018 Contest Preparation I

How Can I See My ENJ? 15. Acquiring Ether (ETH) 16

I don t yet have an account - how do I get one?

DISTRIBUTION PLAN. Operation of EMMARES smart contract. EMA Token Allocation

ELECTRONIC RAFFLE SYSTEMS MINIMUM TECHNICAL STANDARDS

CHANGAMUKA NA MAUZO SAFARICOM RETAILER PROMOTION

STORE CREDIT USER GUIDE

TWEX Platform User Guide

WP24 CFD Settlement: Required Information

An Empirical Study of Vulnerability Rewards Programs

Integers Review. Author: Taras Gula me at before reproducing this booklet

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Token sale is live now

Authorisations (basic), options and limits

Transcription:

1

Table of contents Abstract 3 Disclaimer 3 Scope 3 Procedure 4 AS-IS overview 5 Audit overview 10 Conclusion 11 Disclaimer 12 Appendix A. Automated tools reports 12 2

Abstract In this report, we consider the security of the BonusToken, ERC20 and Game contracts. Our task is to find and describe security issues in the smart contracts of the platform. This report presents the findings of the security assessment of Customer`s smart contract and its code review conducted between January 14th, 2019 - January 17th, 2019 Disclaimer The audit does not give any warranties on the security of the code. One audit can not be considered enough. We always recommend proceeding with several independent audits and a public bug bounty program to ensure the security of smart contracts. Besides, security audit is not an investment advice. Scope The scope of the project is BonusToken and Game smart contracts: 1. BonusToken 2. Game We have scanned this smart contracts for commonly known and more specific vulnerabilities. Here are some of the commonly known vulnerabilities that are considered (the full list includes them but is not limited to them): 3

Unsafe type inference Timestamp Dependence Reentrancy Implicit visibility level Gas Limit and Loops Transaction-Ordering Dependence Unchecked external call Unchecked math DoS with Block Gas Limit DoS with(unexpected) Throw Byte array vulnerabilities Malicious libraries Style guide violation ERC20 API violation Uninitialized state/storage/local variables Compile version not fixed Procedure 4

In our report we checked the contracts with the following parameters: Whether the contracts is secure. Whether the contracts corresponds to the documentation. Whether the contracts meets best practices in efficient use of gas, code readability. We perform our audit according to the following procedure: Automated analysis: Scanning contracts by several public available automated analysis tools such as Mythril, Slither. Manual verification all the issues found by tools Manual audit: Manual analysis smart contracts for security vulnerabilities Checking smart contracts logic and comparing it with one described in the documentation AS-IS overview BonusToken contract overview 5

BonusToken contract constructor sets: startgameaddress address of user who has rights to manage lottery. BonusToken has 2 modifiers: onlyowner check that msg.sender is owner this contract. onlygame check that msg.sender is equal to startgameaddress. tokenisavailable check that msg.sender is owner of token and nor zero address. GetToken.sol has 15 functions: setgameaddress set address who can lead lottery. buytokens - call private function _mint(). startethlottery is changing status the lottery of ether as started. starttokenslottery is changing status lottery of token as started. restartethlottery set participants array to zero clear total lottery bank and stop lottery. restarttokenslottery set participants array to zero clear total lottery bank and stop lottery. 6

updateethlotterybank is decreasing amount of lottery bank in Ether. updatetokenslotterybank is lottery bank in token. swaptokens call private function _burn(). sendtokenstoethlottery - if lottery started and amount of participants is enough call _burn() add money to lottery account and add msg.sender as participant. sendtokenstotokenslottery - if lottery started and amount of participants is enough call _burn() add money to lottery account and add msg.sender as participant. ethlotteryparticipants return array of all participants in lottery of ether. TokensLotteryParticipants return array of all participants in lottery of ether. setinvesttokenaddress - check given address as not equal to zero and set it as investtokenaddress. SetMaxLotteryParticipants set the maximum amount of participants decreasing amount of Game contract overview Game contract constructor sets: 7

startbeneficiar address of user who will receive fee from each bet. callbackgas set amount of gas for callback function. oraclize_setcustomgasprice call function to set gas price for callback. Game has 1 modifier: valideaddress check that address not zero: Game has 3 events: PlaceBet call function of bet to show data of who bet now Bet - call in callback function and show who win in game. WinLottery - call in callback function and show who win in lottery. Game.sol has 17 functions: placebet - check is msg.value more or equal to minimal bet than check the correctness of data. According to the game set chance to win and range than remember player, call random function and calculate the prize. Set the answer to the query. lottery check is function was called more than 24 hours ago than check amount of bets more than zero call startethlottery(). Move participants with balance 8

more zero to tokensholders array. Call updatelotteryranges() function set current time and call random(). sendbonustokens - check is function was called more than 24 hours ago than all players whose cash flow more or equal to 1 ether get 100 tokens. refund check is msg.sender in list who wait for prize than check is enough ether on balance of contract after that send money. refundbet if haven't send money yet and hours ago than send money to user. setoraclizegasprice call function which set gas price. setoraclizegasprice set gas limit. setbeneficiaraddress set address as user who get fee from bets. settokenaddress set address of token contract in case of change. getfunds get money from contract to owner. getbeneficiarfund owner get all money of beneficiar. callback check that msg.sender is contract of oraclize. If it is callback from bet find winner and call sendwin(). Else if it is lottery choose winner from tokensholders use random number and ranges. After bet was 24 9

that call random() till lotterystage equal 5 and than call restartethlottery to restart lottery. updatelotteryranges get array of tokensholders and make a range from their balances. validebet check data for betting for correctness. fee calculate fee for beneficiar, lottery and subtract from bet amount. newquery set new query according to data. random call function which call contract of oraclize. sendwin if enough money on contract send money else set address and amount to map of waiting for prize. deletetokensholder delete element from the end of array and move elements in array. Audit overview Critical No critical severity vulnerabilities were found. High No high severity vulnerabilities were found. 10

Medium No medium severity vulnerabilities were found. Low Not using abi.encodepacked in a contracts is bad practice. In current versions of compilers, it is recommended to use keccak256 (abi.encodepacked (result)); instead of keccak256 (_result); in Game.sol (line 226); in Game.sol (line 251) (see Appendix A pic 3 for evidence). Lowest Code style issues: No code style issues were found. Informational statements: 174 line, Contract ERC20 (BonusToken.sol) For deployment gas reduction it is recommended to use interface of token in contracts where it used, providing token address to constructor. Conclusion To summarize the audit of contracts our team found security issues from low to lowest severity. All necessary information related to the audit contains report. The contracts was checked manually and analyzed using static analysis tools. Since the detected vulnerabilities have a 11

low level as maximum, the code is considered safe and small fixes are required. Disclaimer To ensure the security of the smart contracts only one audit cannot be considered enough as audit does not give any warranties on the security of the code. We always recommend proceeding to several independent audits and a public bug bounty program. Appendix A. Automated tools reports Pic.1 Mythril BonusToken.sol and Game.sol automated report 12

Pic.2 Slither BonusToken.sol automated report Pic.3 Slither Game.sol (part1) automated report 13

Pic.4 Slither Game.sol (part2) automated report 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback