Professional Documents
Culture Documents
SmartContract Audit Solidproof Cryptalk
SmartContract Audit Solidproof Cryptalk
September, 2021
1
Disclaimer 3
Description 5
Project Engagement 5
Logo 5
Contract Link 5
Methodology 7
Source Lines 10
Risk Level 10
Capabilities 11
Scope of Work 12
Inheritance Graph 12
Verify Claims 13
CallGraph 18
Critical issues 20
High issues 20
Medium issues 20
Low issues 20
Informational issues 20
Audit Comments 21
SWC Attacks 22
2
Disclaimer
SolidProof.io reports are not, nor should be considered, an “endorsement”
or “disapproval” of any particular project or team. These reports are not,
nor should be considered, an indication of the economics or value of any
“product” or “asset” created by any team. SolidProof.io do not cover
testing or auditing the integration with external contract or services (such
as Unicrypt, Uniswap, PancakeSwap etc’...)
• Automated- /Manual-Security
Testing
• Summary
Network
Binance Smart Chain (BEP20)
Website
https://www.cryptalk.app/
Telegram
https://t.me/cryptalk2021
Twitter
https://twitter.com/Cryptalkapp
Description
A secure app with a team of bright individuals, skilled in the crypto space
and security space. Their app will ensure projects are veri ed and SAFU by
professional auditors.
Project Engagement
During the 11th of September 2021, CrypTalk Team engaged Solidproof.io
to audit smart contracts that they created. The engagement was
technical in nature and focused on identifying security aws in the design
and implementation of the contracts. They provided Solidproof.io with
access to their code repository and whitepaper.
Logo
Contract Link
v1.0
https://bscscan.com/address/
0xba926AF457B69964C50F1e1fe5691c4F162Aa064#code
fl
fi
Vulnerability & Risk Level
Risk represents the probability that a certain source-threat will exploit
vulnerability, and the impact of that event on the organization or system.
Risk Level is computed based on CVSS version 3.0.
A vulnerability that
can disrupt the
contract functioning
Immediate action to
Critical 9 - 10 in a number of
reduce risk level.
scenarios, or creates a
risk that the contract
may be broken.
A vulnerability that
affects the desired
outcome when using Implementation of
High 7 – 8.9 a contract, or provides corrective actions as
the opportunity to soon aspossible.
use a contract in an
unintended way.
A vulnerability that
could affect the
Implementation of
desired outcome of
Medium 4 – 6.9
executing the
corrective actions in a
certain period.
contract in a speci c
scenario.
A vulnerability that
does not have a
Implementation of
signi cant impact on
certain corrective
Low 2 – 3.9 possible scenarios for
actions or accepting
the use of the
the risk.
contract and is
probably subjective.
A vulnerability that
have informational An observation that
Informational 0 – 1.9 character but is not does not determine a
effecting any of the level of risk
code.
6
fi
fi
Methodology
The auditing process follows a routine series of steps:
1. Code review that includes the following:
i) Review of the speci cations, sources, and instructions provided to SolidProof
to make sure we understand the size, scope, and functionality of the smart
contract.
ii) Manual review of code, which is the process of reading source code line-by-
line in an attempt to identify potential vulnerabilities.
iii) Comparison to speci cation, which is the process of checking whether the
code does what the speci cations, sources, and instructions provided to
SolidProof describe.
3. Best practices review, which is a review of the smart contracts to improve ef ciency,
effectiveness, clarify, maintainability, security, and control based on the established
industry and academic practices, recommendations, and research.
7
fi
fi
fi
fi
fi
fi
Used Code from other Frameworks/Smart
Contracts (direct imports)
Imported packages:
• OpenZeppelin
• IBEP20
• Ownable
• SafeMath
• Context
v1.0
9
fi
fi
fi
Metrics
Source Lines
v1.0
Risk Level
v1.0
10
Capabilities
Components
Version Contracts Libraries Interfaces Abstract
1.0 2 1 1 1
Exposed Functions
This section lists functions that are explicitly declared public or payable.
Please note that getter methods for public stateVars are not included.
1.0 27 0
1.0 11 33 0 8 18
State Variables
Version Total Public
1.0 9 0
Capabilities
Has
Solidity Experim Can Uses Destroya
Version Versions ental Receive Assembl ble
observed Features Funds y Contract
s
11
Scope of Work
The above token Team provided us with the les that needs to be tested
(Github, Bscscan, Etherscan, les, etc.). The scope of the audit is the main
contract (usual the same name as team appended with .sol).
Inheritance Graph
v1.0
12
fi
fi
Verify Claims
Correct implementation of Token standard
Tested Veri ed
✓ ✓
Function Description Exist Tested Veri ed
TotalSupply
provides information about the total
token supply ✓ ✓ ✓
BalanceOf
provides account balance of the
owner's account ✓ ✓ ✓
executes transfers of a speci ed
Transfer number of tokens to a speci ed
address
✓ ✓ ✓
executes transfers of a speci ed
TransferFrom number of tokens from a speci ed
address
✓ ✓ ✓
allow a spender to withdraw a set
Approve number of tokens from a speci ed
account
✓ ✓ ✓
Allowance
returns a set number of tokens from
a spender to the owner ✓ ✓ ✓
Optional implementations
Function Description Exist Tested Veri ed
renounceOwnership
Owner renounce ownership for
more trust ✓ ✓ ✘
13
fi
fi
fi
fi
fi
fi
fi
fi
Deployer cannot
mint ✓ ✓ ✓ Main
Comment Line: -
Max / Total Supply: 1.000.000.000
Comments:
v1.0
• Internal _mint function is available but it is never used
14
fi
Deployer cannot
lock ✓ ✓ ✓
Deployer cannot
burn ✓ ✓ ✓
Comments:
v1.0
• Internal _burn function is available but it is never used
• _lockTime is available (Ownable.sol) but it is never used
15
fi
Deployer cannot
pause ✓ ✓ ✓
16
fi
✓ ✓
Legend
Attribute Symbol
Ver ed / Checked ✓
Partly Veri ed ⚑
Unveri ed / Not checked ✘
Not available -
17
fi
fi
fi
fi
fi
CallGraph
18
Legend
Attribute Description
19
Audit Results
AUDIT PASSED
Critical issues
- no critical issues found -
High issues
- no high issues found -
Medium issues
- no medium issues found -
Low issues
Issue File Type Line Description
Informational issues
Issue File Type Line Description
#1 Ownabl Variable is never used 21 Remove unused variables
e.sol
#2 CryptoT Functions that are not 238-244, Remove unused functions
alk.sol used (dead-code) 273-276,
219-225
Line Comment
20
fi
fl
76-90 // //Locks the contract for owner for the amount of time provided
(Ownable.sol) // function lock(uint256 time) public virtual onlyOwner {
// _previousOwner = _owner;
// _owner = address(0);
// _lockTime = now + time;
// emit OwnershipTransferred(_owner, address(0));
// }
Recommendation
Remove the commented code, or address them properly.
Audit Comments
13. September 2021:
• There is still an owner (Owner still has not renounced ownership)
21
SWC Attacks
ID Title Relationships Status
SW Code With No
C-13 CWE-1164: Irrelevant Code PASSED
Effects
5
SW Message call
with CWE-655: Improper
C-13 PASSED
hardcoded gas Initialization
4
amount
Hash Collisions
SW With Multiple CWE-294: Authentication
C-13 Variable PASSED
Bypass by Capture-replay
3 Length
Arguments
SW Unexpected
C-13 CWE-667: Improper Locking PASSED
Ether balance
2
SW Presence of
C-13 unused CWE-1164: Irrelevant Code PASSED
1 variables
Right-To-Left-
SW Override CWE-451: User Interface (UI)
C-13 control Misrepresentation of Critical PASSED
0 character Information
(U+202E)
22
SW Write to
Arbitrary CWE-123: Write-what-where
C-12 PASSED
Storage Condition
4
Location
Missing
SW Protection CWE-347: Improper Veri cation
C-12 against PASSED
of Cryptographic Signature
1 Signature
Replay Attacks
SW Weak Sources
of Randomness CWE-330: Use of Insuf ciently
C-12 PASSED
from Chain Random Values
0
Attributes
23
fi
fi
fi
fi
fi
fi
fi
SW Timestamp CWE-829: Inclusion of
C-11 Functionality from Untrusted PASSED
Dependence
6 Control Sphere
CWE-362: Concurrent
SW Transaction Execution using Shared
C-11 Order Resource with Improper PASSED
4 Dependence Synchronization ('Race
Condition')
Use of
SW Deprecated CWE-477: Use of Obsolete
PASSED
C-111 Solidity Function
Functions
SW CWE-670: Always-Incorrect
C-11 Assert Violation PASSED
Control Flow Implementation
0
SW CWE-841: Improper
C-10 Reentrancy Enforcement of Behavioral PASSED
7 Work ow
SW Integer
C-10 Over ow and CWE-682: Incorrect Calculation PASSED
1 Under ow
25
fl
fl
26