Here is the report of the Maker (MKR) Security Audit performed by the Callisto Network security department in March 2019.
About Callisto Network and the security department:
Utilizing Callisto Network capabilities, we have established a free-for-all system of smart-contracts auditing, to this end, Callisto Network has founded the Callisto security department and deploys treasury funds to pay security auditors for auditing smart-contracts, to reduce risk/flaw in smart-contracts and improve the adoption of programmable blockchains for the whole crypto industry.
Maker (MKR) specificities :
Deployed at :
Number of lines: 236
Maker (MKR) Security Audit Report
Audit Top 200 CoinMarketCap tokens.
|Circulating Supply||1 000 000|
|Total Supply||1 000 000|
|Max Supply||No Data|
2. In scope
In total, 5 issues were reported including:
- 5 low severity issues.
No critical security issues were found.
3.1. Known vulnerabilities of ERC-20 token
- It is possible to double withdrawal attack. More details here.
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here.
Add the following code to the
transfer(_to address, ...) function:
require( _to != address(this) );
3.2. ERC20 Compliance — event missing
- According to ERC20 standard when coins are minted a
Transferevent should be emitted.
burnfunction also should emit the
3.3. It is necessary to check the input address of
- In the
transferFromfunctions, input destination address is not checked for a null value and the funds can be transferred to a
- Also it is needed to check input address for
In case if the
approve function is called with only “beneficiary” address parameter then max-uint value(!) of token will be approved to recipient.
Also the approved value doesn’t decrease when
trnsferFrom called in case of max-uint approved value. It is some sort of ERC20 discrepancy.
3.5. Owner’s Privileges
The contract owner allow himself to pause functions of contract (
The audited smart contract can be deployed. Only low severity issues were found during the audit.