ICO smart contract security audit

Project goal was to assess the security of the smart contracts source code which implemented modified ERC20 token and investor web-dashboard. The Oraclize library was used by the contracts to allow for interaction with external services. The code review was performed using a combination of manual and automated tools and techniques to identify vulnerabilities within the target environment and exploit them. The contract code was deployed to the custom blockchain testnet and every step was emulated (the time parameters were modified to speedup each ICO stage). The testnet and deployment was arranged with a set of utilities: geth, truffle, ganache and mist.


Multiple vulnerabilities were identified and reported to the customer:

  • The wide permissions for the developer role, hardcoded in the contract.
  • The potential stale state of the contract, where it could stuck without ability to recover the money deployed to the contract address.
  • The lack of input address length validation, which facilitated attacks that involve input abuse on the smart-contract web-dashboard.
  • Cross-site scripting (XSS) in the investor web-dashboard.
This website uses cookies to give you the best experience. Terms & Conditions