Introduction
CoinFabrik has been hired to audit the DMToken smart contract. First of all, we will describe what is the analysis performed by our team. Next, we will provide a summary of our discoveries and we will detail all our findings. And at the end, we will express our opinion in the conclusion.
Summary
The contract audited is at address 0x2ccbff3a042c68716ed2a2cb0c544a9f1d1935e1. The contract was deployed at transaction 0x111287826ad158a7ae11a9893f03e9e8998ed7b2bac061c83bed7b68e1958a6d.
Description
- Contracts name: DMToken
- Compiler: version 0.4.18 with optimization enabled
The contract is a simple ERC20. It provides additional functionality that allows some users the vesting of token gradually over time.
Analysis performed
- Misuse of the different call methods: call.value(), send() and transfer().
- Integer rounding errors, overflow, underflow and related usage of SafeMath functions.
- Old compiler version pragmas.
- Race conditions such as reentrancy attacks or front running.
- Misuse of block timestamps, assuming anything other than them being strictly increasing.
- Contract softlocking attacks (DoS).
- Potential gas cost of functions being over the gas limit.
- Missing function qualifiers and their misuse.
- Fallback functions with a higher gas cost than the one that a transfer or send call allows.
- Fraudulent or erroneous code.
- Code and contract interaction complexity.
- Wrong or missing error handling.
- Overuse of transfers in a single transaction instead of using withdrawal patterns.
- Insufficient analysis of the function input requirements.
Detailed findings
Critical severity
No issue has been found.
Medium severity
No issue has been found.
Minor severity
No issue has been found.
Observations
Old compiler version
The audited contracts were deployed with version 0.4.18 of the solidity compiler (solc). At the time of this audit the latest release of solc is 0.5.4. We checked vulnerabilities known to affect this old version of the compiler against this particular contract. We found that none of them compromise the contract.
They consist of two high-medium severity bugs:
- ExpExponentCleanup: Only the exponentiation operation with types smaller than 256 bits is impacted. Some of the higher bits are not zeroed before use resulting in difficult to predict behaviour.
We didn’t find any use of exponentiation operations in this contract. - NestedArrayFunctionCallDecoder: Functions calls where the return type is a multidimensional fixed size array are impacted. We found no function using such a return type in this contract.
There are several other changes to Solidity language since version 0.4.18 of solc (October 2017). These changes should not affect the functionality of the contract at all.
- Use of view and pure modifiers instead of constant.
- Use of emit to disambiguate generating events of function calls.
- Introduction of the constructor keyword.
- A slightly richer type system.
Conclusion
The contract is a simple ERC20 token with additional functionality that the contract owner might allow some users to vest tokens gradually over time.
We found no issue with the currently deployed contracts. There are some vulnerabilities in the used solidity compiler, but we found no use of the affected operations in the smart contracts.
Disclaimer: This audit report is not a security warranty, investment advice, or an approval of DMToken since Coinfabrik has not reviewed its platform. Moreover, it does not provide a smart contract code faultlessness guarantee.
