Smart Contract Code Review and Security Analysis Report
Date: November, 11, 2018
This document contains confidential information about IT systems and intellectual property of the customer as well as information about potential vulnerabilities and methods of their exploitation.
This confidential information shall be used only internally by the customer and shall not be disclosed to third parties.
Smart Contract Code Review and Security Analysis Report for Ethebit
Ethereum / Solidity
This report presents the findings of the security assessment of Customer`s smart contract and its code review conducted between November 1st, 2018
–November 11th, 2018.
The scope of the project is Ethebit smart contract, which can be found on github by link below: https://github.com/Ethebit/Ethebit/blob/master/Ethebit.sol
We have scanned this smart contract for commonly known and more specific vulnerabilities. Here are some of the commonly known vulnerabilities that are considered (the full list includes them but is not limited to them):
• Timestamp Dependence
• Gas Limit and Loops
• DoS with (Unexpected) Throw
• DoS with Block Gas Limit
• Transaction-Ordering Dependence
• Byte array vulnerabilities
• Style guide violation
• Transfer forwards all gas
• Malicious libraries
• Compiler version not fixed
• Unchecked external call - Unchecked math
• Unsafe type inference
• Implicit visibility level
Our team performed analysis of code functionality, manual audit and automated checks with solc and remix IDE. All issues found during automated analysis were manually reviewed and applicable vulnerabilities are presented in Audit overview section. General overview is presented in AS-IS section and all found issues can be found in Audit overview section. We found 1 low vulnerabilities in smart contract;
Ethebit contract manages investment system.
Ethebit uses SafeMath library and another Ownable contract in its work.
The Ownable Contract is designed to enable the management of the most important contract functions on behalf of the contract owner.
The Ownable contract contains the onlyOwner modifier and the changeOwner () function. The changeOwner () function is designed to change the address of the wallet of the contract holder. This function is called with the onlyOwner modifier. Thus, it is possible to change the owner of a contract only from under the account of the current owner of the contract.
Contract Ethebit can use in its work all the functionality of the Ownable contract. But this is not done.
1. There is not a single function in the Ethebit contract that is called with the onlyOwner modifier.
2. In the Ethebit contract constructor there is the following line: owner = address (0);
Thus, the contract owner is assigned a zero address.
There can be no real wallet with this address. Those. it will be impossible to enter the real address of the owner of the contract.
The fallback function calls the function invest() with parameter 0. When the ETH arrives directly at the contract address, the referral system will not work.
The invest() function is designed to process incoming ETHs to an investment fund. If the value of the _refLink parameter is more than 100, then the referent will receive a reward. Otherwise, the reward will be received by the technical support team.
The getBalance () function is designed to calculate the dividends that an investor can receive at a given time. The parameter of the function is the address of the investor’s wallet.
The checkBalance() function is used to view the dividends of the user who called this function. The function has no parameters.
The function withdrawProfit() is intended to receive the dividends of the user who called this function. The function has no parameters.
The checkWithdrawals() function is intended to display the number of dividends already received by the user. The function has a parameter - the address of the investor.
The function checkInvestments() is designed to display the amount of the investor’s deposit. The function has a parameter - the address of the investor.
The getMyDeposit() function is designed to receive the deposit of the user who called this function. The function has no parameters.
The function makeReferrerProfit() is designed to accrue reward for the referrer. The function has a parameter - reference number.
The getMyReferrerProfit() function is designed to receive a referral reward for the user who called this function. The function has no parameters. Remuneration is possible only if the value of the referral amount is greater than the minimum value of 0.01 Ether.
The function makeReferralLink() is designed to get the formation of a referral number for the user who called this function. The function has no parameters.
The getReferralLink() function is designed to get the value of the referral number for the user who called this function. The function has no parameters.
The function checkReferrerBalance() is designed to display the total amount of remuneration for the referrer. The function has a parameter - the address of the referrer.
No critical vulnerabilities were found.
No high severity vulnerabilities were found.
No high severity vulnerabilities were found.
It is not clear why there is an Ownable contract here. Its functionality is not used anywhere. Our team offers to remove this contract.
Informational statements are audit team findings that doesn’t have any security issues. However, they are presented in report to clarify and outline functionality and business requirements.
Audit report contains all found security vulnerabilities and other issues in the reviewed code.
Overall quality of reviewed contracts is good; however, it contains 1 low vulnerabilities.
The smart contracts given for audit have been analyzed in accordance with the best industry practices at the date of this report, in relation to: cybersecurity vulnerabilities and issues in smart contract source code, the details of which are disclosed in this report, (Source Code); the Source Code compilation, deployment and functionality (performing the intended functions).
The audit makes no statements or warranties on security of the code. It also cannot be considered as a sufficient assessment regarding the utility and safety of the code, bugfree status or any other statements of the contract. While we have done our best in conducting the analysis and producing this report, it is important to note that you should not rely on this report only - we recommend proceeding with several independent audits and a public bug bounty program to ensure security of smart contracts.