3df6277388 | ||
---|---|---|
.. | ||
code-review | ||
deployed-contracts | ||
test | ||
README.md |
README.md
Oracles Network Presale Contract Audit
Summary
Oracles Network intends to run a presale commencing in Nov 2017.
Bok Consulting Pty Ltd was commissioned to perform an audit on the Oracles Network's presale Ethereum smart contract.
This audit has been conducted on Oracles Network's source code in commits 5bc4391 and 565e090.
No potential vulnerabilities have been identified in the presale contract.
Mainnet Addresses
- PresaleOracles - 0xc8fe4a2d14Cb9027Ef955D15E8BF811a6DB0Bf74 with a copy of the deployed code saved in deployed-contracts/PresaleOracles_deployed_at_0xc8fe4a2d14Cb9027Ef955D15E8BF811a6DB0Bf74.sol
- Wallet - 0x04c62019ab478bFf5874E7B7D9bC84FCF7e30025
Presale Contract
Ethers contributed by participants to the presale contract are immediately transferred to the presale wallet, reducing any risk of the loss of ethers in this bespoke smart contract.
No tokens are generated for these contributions.
Table Of Contents
- Summary
- Recommendations
- Potential Vulnerabilities
- Scope
- Limitations
- Due Diligence
- Risks
- Testing
- Code Review
Recommendations
- LOW IMPORTANCE Use the OpenZeppelin Claimable contract instead of the Ownable contract to provide more safety during the
ownership transfer process
- Updated in 565e090
- LOW IMPORTANCE The variable
PresaleOracles.rate
is unused and can be removed- Updated in 565e090
- LOW IMPORTANCE Consider adding the logging of an event for each contribution, like
Contribution(address investor, uint investorAmount, uint investorTotal, uint totalAmount)
. This data can then be easily extracted using a script, if there are many individual contributions- Updated in 565e090
- LOW IMPORTANCE
BasicToken
can be replaced with theERC20Basic
interface inPresaleOracles.claimTokens(...)
, and theBasicToken
contract source code can be removed- Updated in 565e090
Potential Vulnerabilities
No potential vulnerabilities have been identified in the presale contract.
Scope
This audit is into the technical aspects of the presale contract. The primary aim of this audit is to ensure that funds contributed to this contract is not easily attacked or stolen by third parties. The secondary aim of this audit is that ensure the coded algorithms work as expected. This audit does not guarantee that that the code is bugfree, but intends to highlight any areas of weaknesses.
Limitations
This audit makes no statements or warranties about the viability of the Oracles Network's business proposition, the individuals involved in this business or the regulatory regime for the business model.
Due Diligence
As always, potential participants in any crowdsale are encouraged to perform their due diligence on the business proposition before funding any crowdsales.
Potential participants are also encouraged to only send their funds to the official crowdsale Ethereum address, published on the crowdsale beneficiary's official communication channel.
Scammers have been publishing phishing address in the forums, twitter and other communication channels, and some go as far as duplicating crowdsale websites. Potential participants should NOT just click on any links received through these messages. Scammers have also hacked the crowdsale website to replace the crowdsale contract address with their scam address.
Potential participants should also confirm that the verified source code on EtherScan.io for the published crowdsale address matches the audited source code, and that the deployment parameters are correctly set, including the constant parameters.
Risks
- This presale contract has a low risk of having the ETH hacked or stolen, as any contributions by participants are immediately transferred to the presale wallet.
Testing
The following functions were tested using the script test/01_test1.sh with the summary results saved in test/test1results.txt and the detailed output saved in test/test1output.txt:
- Deploy Presale contract
- Initialise contract
- Whitelist accounts
- Blacklist accounts
- Send contributions for whitelisted addresses and blacklisted address (expecting failure)
Code Review
- code-review/PresaleOracles_flat.md
- contract Ownable
- contract ERC20Basic
- contract BasicToken is ERC20Basic
- contract PresaleOracles is Ownable
The following warning messages are generated when using the Solidity compiler 0.4.18 and are of low importance, due to recent changes to the Solidity compiler version:
$ solc_0.4.18 PresaleOracles_flat.sol
PresaleOracles_flat.sol:40:3: Warning: No visibility specified. Defaulting to "public".
function Ownable() {
^
Spanning multiple lines.
PresaleOracles_flat.sol:4:3: Warning: Function state mutability can be restricted to pure
function mul(uint256 a, uint256 b) internal constant returns (uint256) {
^
Spanning multiple lines.
PresaleOracles_flat.sol:10:3: Warning: Function state mutability can be restricted to pure
function div(uint256 a, uint256 b) internal constant returns (uint256) {
^
Spanning multiple lines.
PresaleOracles_flat.sol:17:3: Warning: Function state mutability can be restricted to pure
function sub(uint256 a, uint256 b) internal constant returns (uint256) {
^
Spanning multiple lines.
PresaleOracles_flat.sol:22:3: Warning: Function state mutability can be restricted to pure
function add(uint256 a, uint256 b) internal constant returns (uint256) {
^
Spanning multiple lines.
PresaleOracles_flat.sol:127:5: Warning: Function state mutability can be restricted to pure
function Presale() public {
^
Spanning multiple lines.
(c) BokkyPooBah / Bok Consulting Pty Ltd for Oracles Network - Nov 15 2017. The MIT Licence.