Here is the report of the PHI Token (PHI) Security Audit performed by the Callisto Network security department in October 2018.
About Callisto Network and the security department:
Utilizing Callisto Network capabilities, we have established a free-for-all system of smart-contracts auditing, to this end, Callisto Network has founded the Callisto security department and deploys treasury funds to pay security auditors for auditing smart-contracts, to reduce risk/flaw in smart-contracts and improve the adoption of programmable blockchains for the whole crypto industry.
Security Audit Report
2. In scope
- PHICrowdsale.sol github commit hash c0eeedc616935ce2cf72191567c05bc705e983a1.
In total, 6 issues were reported including:
- 2 medium severity issues.
- 3 low severity issues.
- 1 minor observation.
No critical security issues were found.
3.1. Token Minting
mint(address _to, uint256 _amount, address _owner)function does not mint tokens but rather transfer tokens from
_tothis allow transfer of tokens from any address to another address.
mintis marked as internal, its usage is limited inside the contract and it won’t harm any investor.
When the ICO end, if owner doesn’t call
ownerBurnTokenthe allocated tokens for the crowdsale will be kept by the owner in his wallet, since mint do not really mint but just transfer tokens from
MintableTokencontract, is not intended be set to
trueat any moment inside all the Token and ICO logic.
3.2. ICO Rates
If a user buy tokens during the pre-ICO expecting
ratePreIco to be applied and the
tokenAllocated is higher than
limitPreIco than the used rate will be
rateIco, resulting in an
amountOfTokens lower than expectations.
3.3. ICO Phases Time
ICO phases can be started, extended or stoped at the owner will.
3.4. Minting Event
mintForFund should emit
Mint event after adding fund value to every address.
3.5. Known Issues of ERC20 Standard
- It is possible to double withdrawal attack. More details here
- Lack of transaction handling mechanism issue. WARNING! This is a very common issue and it already caused millions of dollars losses for lots of token users! More details here
3.6. Different data in docs and code.
Severity: minor observation
Please provide correct data and re-check all the values.
Smart contracts are intended to be more autonomous than centralized applications, Crowdsale functions should be more decentralized to fully benefit from the trustless nature of the ethereum blockchain.
Multiple issues have been raised, the contract developers should fix them before deployment.