trade.io get their ICO off to a smart start
The team over at trade.io launched their “Trade Token” ICO on Ethereum on 7th December. Business has been brisk, with early investors taking advantage of the lower prices for these ERC-20 compliant tokens. Further price increases are scheduled before the ICO closes on 4th January 2018.
Thankfully, trade.io took the sensible precaution of getting their smart contract carefully vetted before they went live. They asked our expert ICO security team to audit their Trade Token contracts to uncover any vulnerabilities, logical flaws or other code errors that might put their platform, funds and investors at risk.
A high quality contract
Our team performed detailed source code analysis of two Trade Token smart contracts, TIOToken
and TIOCrowdsale
, along with simulations of a real-world attacks to test their security provisions.
We didn’t find any vulnerabilities and our recommendations covered just a few points of best-practice. You can get the full details below.
This clean bill of health is great news for the trade.io team as well as their investors. Once again highlighting the importance of making smart contract security a top priority for every ICO.
The detailed lowdown on Trade.io
Here’s the fine print on our analysis: The audited contracts are held in the trade-io/Tradeio-TokenSale-Contract Github repository. The version used for this report is the commit f5c14561dcf37c0508554499a8de23fd134e0528.
The TIOToken
contract is built on top of Majoolr’s TokenLib
library with minimal additions. We found no vulnerabilities. Minor recommendations included:
- Keep in mind that ERC20 standard has a possible attack vector on
approve
/transferFrom
methods described here; - Consider making
approveChange
fromTokenLib
callable inTIOToken
to avoid possible double spend attack; - Consider checking that
_to
argument is not equal to0x0
intransfer
andtransferFrom
functions in TokenLib.sol to avoid accidental token transfer to undefined addresses; - Consider raising the minimum version of Solidity compiler (currently 0.4.15) to the latest.
The TIOCrowdsale
contract is built on top of Majoolr’s CrowdsaleLib
library with minimal additions. Again, no vulnerabilities were found and our minor recommendations included:
- Consider updating the number of tokens that are given per 1 eth to 625 as is stated by the whitepaper (currently 150);
- Consider updating fallback exchange rate to 400 dollars per 1 eth as of 23.11.2017 (currently 300 dollars);
- Consider checking error in
receivePurchase()
function inDirectCrowdsaleLib
when subtracting_numTokens
from owner’s tokens inwithdrawTokensMap
; - Consider calling
setTokens()
insetTokenExchangeRate()
in CrowdsaleLib to avoid code duplication; - Consider raising the minimum version of Solidity compiler (currently 0.4.15) to the latest.