Phi token

PHI Token (PHI) Security Audit Report

Here is the report of the PHI Token (PHI) Security Audit performed by the Callisto Network security department in October 2018.

About Callisto Network and the security department

Utilizing Callisto Network capabilities, we have established a free-for-all system of smart-contracts auditing, to this end, Callisto Network has founded the Callisto security department and deploys treasury funds to pay security auditors for auditing smart-contracts, to reduce risk/flaw in smart-contracts and improve the adoption of programmable blockchains for the whole crypto industry.

PHI Token (PHI) Specificities

Source Code



PHI Token (PHI) Security Audit Report

1. Summary

PHI Token security audit report performed by Callisto Security Audit Department

2. In scope

3. Findings

In total, 6 issues were reported including:

  • 2 medium severity issues.
  • 3 low severity issues.
  • 1 minor observation.

No critical security issues were found.

3.1. Token Minting

Severity: Medium


  • mint(address _to, uint256 _amount, address _owner) function does not mint tokens but rather transfer tokens from _owner address to _to this allow transfer of tokens from any address to another address.
    mint is marked as internal, its usage is limited inside the contract and it won’t harm any investor.
  • When the ICO end, if owner doesn’t call ownerBurnToken the allocated tokens for the crowdsale will be kept by the owner in his wallet, since mint do not really mint but just transfer tokens from addressFundReferal or owner addresses.
  • mintingFinished member of MintableToken contract, is not intended be set to true at any moment inside all the Token and ICO logic.

Code snippet

3.2. ICO Rates

Severity: medium


If a user buy tokens during the pre-ICO expecting ratePreIco to be applied and the tokenAllocated is higher than limitPreIco than the used rate will be rateIco, resulting in an amountOfTokens lower than expectations.

Code snippet

3.3. ICO Phases Time

Severity: low


ICO phases can be started, extended or stoped at the owner will.

Code snippet

3.4. Minting Event

Severity: low


mintForFund should emit Mint event after adding fund value to every address.

Code snippet

3.5. Known Issues of ERC20 Standard

Severity: low


  1. It is possible to double withdrawal attack. More details here
  2. Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here

3.6. Different data in docs and code

Severity: minor observation


According to documentation there is 60 000 000 tokens for sale, but in code there is 60 250 000


Please provide correct data and re-check all the values.

4. Conclusion

Smart contracts are intended to be more autonomous than centralized applications, Crowdsale functions should be more decentralized to fully benefit from the trustless nature of the ethereum blockchain.

Multiple issues have been raised, the contract developers should fix them before deployment.

5. Revealing audit reports