Submit Search
Upload
Ambisafe smart contracts audit
•
0 likes
•
95 views
Yar Naumenko
Follow
A-Z smart contract audit process by Ambisafe
Read less
Read more
Software
Report
Share
Report
Share
1 of 6
Download now
Download to read offline
Recommended
Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0
KennyNajarro2
SMTAI PowerPoint: Blockchain for High Tech
SMTAI PowerPoint: Blockchain for High Tech
Quentin Samelson
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
Yunho Maeng
Blockchain solution architecture deliverable
Blockchain solution architecture deliverable
Sarmad Ibrahim
IBM Blockchain Platform - Architectural Good Practices v1.0
IBM Blockchain Platform - Architectural Good Practices v1.0
Matt Lucas
Blockchain Land Audit Report.pdf
Blockchain Land Audit Report.pdf
BlockchainLand
Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4
LennartF
Introduction to Hyperledger Composer
Introduction to Hyperledger Composer
Simon Stone
Recommended
Peck shield audit-report-umee-v1.0
Peck shield audit-report-umee-v1.0
KennyNajarro2
SMTAI PowerPoint: Blockchain for High Tech
SMTAI PowerPoint: Blockchain for High Tech
Quentin Samelson
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
[Call for code] IBM 블록체인을 활용하여 투명하게 구호기금 관리하기 - Hyperledger Fabric v1.1 by 맹개발
Yunho Maeng
Blockchain solution architecture deliverable
Blockchain solution architecture deliverable
Sarmad Ibrahim
IBM Blockchain Platform - Architectural Good Practices v1.0
IBM Blockchain Platform - Architectural Good Practices v1.0
Matt Lucas
Blockchain Land Audit Report.pdf
Blockchain Land Audit Report.pdf
BlockchainLand
Wwc developing hyperledger applications v4
Wwc developing hyperledger applications v4
LennartF
Introduction to Hyperledger Composer
Introduction to Hyperledger Composer
Simon Stone
Pairwyse DSL Protocol - Whitepaper - V08.pdf
Pairwyse DSL Protocol - Whitepaper - V08.pdf
ashwin164916
IRJET- Study of Blockchain and its Concepts
IRJET- Study of Blockchain and its Concepts
IRJET Journal
growthbotics audit.pdf
growthbotics audit.pdf
Wilson Kao
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Simone Onofri
Sacred CertiK Security Assessment
Sacred CertiK Security Assessment
31bridgeport
Ibm system storage solutions handbook
Ibm system storage solutions handbook
Diego Alberto Tamayo
Hyperledger Fabric Technical Deep Dive 20190618
Hyperledger Fabric Technical Deep Dive 20190618
Arnaud Le Hors
Hyperledger
Hyperledger
Vinay Aitha
Sacred CertiK security assessment for Sacred
Sacred CertiK security assessment for Sacred
31bridgeport
BlockchainLAB Hackathon
BlockchainLAB Hackathon
Aleksandr Kopnin
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
Iosif Itkin
Interledger DvP Settlement on Amazon Managed Blockchain
Interledger DvP Settlement on Amazon Managed Blockchain
Amazon Web Services
Blockchain Tech Approach Whitepaper
Blockchain Tech Approach Whitepaper
Property Bihar
EOS Smart Contract Audit (https://www.somish.com/blockchain/smart-contract-au...
EOS Smart Contract Audit (https://www.somish.com/blockchain/smart-contract-au...
Somish Blockchain Labs
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Arnaud Le Hors
Hyperledger Fabric and Tools
Hyperledger Fabric and Tools
Rihusoft
Ibp technical introduction
Ibp technical introduction
LennartF
02 - Introduction to Hyperledger Fabric
02 - Introduction to Hyperledger Fabric
Merlec Mpyana
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM France Lab
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
Webcall.today
Webcall.today
Yar Naumenko
Introduction to mobile development expertise
Introduction to mobile development expertise
Yar Naumenko
More Related Content
Similar to Ambisafe smart contracts audit
Pairwyse DSL Protocol - Whitepaper - V08.pdf
Pairwyse DSL Protocol - Whitepaper - V08.pdf
ashwin164916
IRJET- Study of Blockchain and its Concepts
IRJET- Study of Blockchain and its Concepts
IRJET Journal
growthbotics audit.pdf
growthbotics audit.pdf
Wilson Kao
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Simone Onofri
Sacred CertiK Security Assessment
Sacred CertiK Security Assessment
31bridgeport
Ibm system storage solutions handbook
Ibm system storage solutions handbook
Diego Alberto Tamayo
Hyperledger Fabric Technical Deep Dive 20190618
Hyperledger Fabric Technical Deep Dive 20190618
Arnaud Le Hors
Hyperledger
Hyperledger
Vinay Aitha
Sacred CertiK security assessment for Sacred
Sacred CertiK security assessment for Sacred
31bridgeport
BlockchainLAB Hackathon
BlockchainLAB Hackathon
Aleksandr Kopnin
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
Iosif Itkin
Interledger DvP Settlement on Amazon Managed Blockchain
Interledger DvP Settlement on Amazon Managed Blockchain
Amazon Web Services
Blockchain Tech Approach Whitepaper
Blockchain Tech Approach Whitepaper
Property Bihar
EOS Smart Contract Audit (https://www.somish.com/blockchain/smart-contract-au...
EOS Smart Contract Audit (https://www.somish.com/blockchain/smart-contract-au...
Somish Blockchain Labs
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Arnaud Le Hors
Hyperledger Fabric and Tools
Hyperledger Fabric and Tools
Rihusoft
Ibp technical introduction
Ibp technical introduction
LennartF
02 - Introduction to Hyperledger Fabric
02 - Introduction to Hyperledger Fabric
Merlec Mpyana
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM France Lab
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
Freddy Buenaño
Similar to Ambisafe smart contracts audit
(20)
Pairwyse DSL Protocol - Whitepaper - V08.pdf
Pairwyse DSL Protocol - Whitepaper - V08.pdf
IRJET- Study of Blockchain and its Concepts
IRJET- Study of Blockchain and its Concepts
growthbotics audit.pdf
growthbotics audit.pdf
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Attacking and Exploiting Ethereum Smart Contracts: Auditing 101
Sacred CertiK Security Assessment
Sacred CertiK Security Assessment
Ibm system storage solutions handbook
Ibm system storage solutions handbook
Hyperledger Fabric Technical Deep Dive 20190618
Hyperledger Fabric Technical Deep Dive 20190618
Hyperledger
Hyperledger
Sacred CertiK security assessment for Sacred
Sacred CertiK security assessment for Sacred
BlockchainLAB Hackathon
BlockchainLAB Hackathon
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
ClearTH Test Automation Framework: Case Study in IRS & CDS Swaps Lifecycle Mo...
Interledger DvP Settlement on Amazon Managed Blockchain
Interledger DvP Settlement on Amazon Managed Blockchain
Blockchain Tech Approach Whitepaper
Blockchain Tech Approach Whitepaper
EOS Smart Contract Audit (https://www.somish.com/blockchain/smart-contract-au...
EOS Smart Contract Audit (https://www.somish.com/blockchain/smart-contract-au...
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric and Tools
Hyperledger Fabric and Tools
Ibp technical introduction
Ibp technical introduction
02 - Introduction to Hyperledger Fabric
02 - Introduction to Hyperledger Fabric
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
IBM Cloud Côte D'Azur Meetup - 20181004 - Blockchain Hyperledger Workshop
26.1.7 lab snort and firewall rules
26.1.7 lab snort and firewall rules
More from Yar Naumenko
Webcall.today
Webcall.today
Yar Naumenko
Introduction to mobile development expertise
Introduction to mobile development expertise
Yar Naumenko
Introduction to IoT development
Introduction to IoT development
Yar Naumenko
Projects portfilio
Projects portfilio
Yar Naumenko
HR Bot - Adwords for LinkedIn
HR Bot - Adwords for LinkedIn
Yar Naumenko
Projects examples
Projects examples
Yar Naumenko
Nomerok - превращаем обычных клиентов в постоянных
Nomerok - превращаем обычных клиентов в постоянных
Yar Naumenko
More from Yar Naumenko
(7)
Webcall.today
Webcall.today
Introduction to mobile development expertise
Introduction to mobile development expertise
Introduction to IoT development
Introduction to IoT development
Projects portfilio
Projects portfilio
HR Bot - Adwords for LinkedIn
HR Bot - Adwords for LinkedIn
Projects examples
Projects examples
Nomerok - превращаем обычных клиентов в постоянных
Nomerok - превращаем обычных клиентов в постоянных
Recently uploaded
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
Philip Schwarz
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
Velvetech LLC
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
BrainSell Technologies
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
jennyeacort
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
qr0udbr0
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
Wave PLM
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
soniya singh
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
Christina Lin
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
Alina Yurenko
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
OnePlan Solutions
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio, Inc.
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
Hanief Utama
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
StefanoLambiase
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
kzayra69
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Ahmed Mohamed
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
Łukasz Chruściel
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Christina Lin
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
stazi3110
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
Livetecs LLC
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
VICTOR MAESTRE RAMIREZ
Recently uploaded
(20)
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
Ambisafe smart contracts audit
1.
Source Code Review Prepared
for Talla• December 2017 V1.0 1. Table of Contents 1. Table of Contents 2. Executive Summary 3. Introduction 4. Findings 4.1. Problems in the ERC-20 specification 4.2. Race condition after AssetWithWhitelist contract creation 4.3. No public visibility modifiers for public methods 4.4. Use of Solidity versions prior 0.4.18 4.5. Opt-out upgrade 5.Closing Remarks DRAFT
2.
2. Executive Summary In
December 2017, Talla engaged Coinspect to perform a security audit of the Ambisafe token contracts. The contract was received in the following archive: https://drive.google.com/drive/u/1/folders/10ALrQ7biCIjahFOJnnTi7_yjb4GrqkIw The objective of the audit was to evaluate the security of the smart contracts. During the assessment, Coinspect identified the following issues: High-Risk Medium Risk Low Risk Zero Risk 0 0 5 0 Only 5 low risk issues were found, and the overall quality of the audited code was good. 3. Introduction The Ambisafe contracts comprises the following contracts working together: ● Ambi.sol ● Ambi2.sol ● Ambi2Enabled.sol ● Ambi2EnabledFull.sol ● AmbiEnabled.sol ● AssetWithAmbi.sol ● RegistryICAP.sol ● MultiAssetEmitter.sol ● ERC20Interface.sol ● AssetWithWhitelist.sol ● Safe.sol ● StackDepthLib.sol ● EToken2Interface.sol ● EToken2.sol ● EToken2Emitter.sol ● EventsHistory.sol ● helpersBytes32.sol ● helpersReturnData.so ● Asset.sol ● AssetInterface.sol ● AssetProxy.sol ● AssetProxyInterface.sol © 2017 Coinspect DRAFT/1
3.
The AssetProxy is
an ERC-20 compliant token smart contrac, that forwards all calls to an associated Asset smart contract that provides an upgradeable back-end. All requests end up being managed by the EToken2 contract. This contract manages multiple assets. Also EToken2 allows the recovery of the funds in case of a lost private key by two methods: delegation of trust and co-signers, The source code for the co-signer was not present in the source code package. The RegistryICAP smart contract manages transfers of tokens to institutions identified by an ICAP address. The remaining contracts manage access control, logging of events and whitelisting. A whitebox security audit was conducted on these smart contracts. The present report was completed on December 18th, 2017, by Coinspect. The report includes all issues identified in the audit. The following checks, related to best practices, were performed: - Confusion of the different method calling possibilities: send(), transfer(), and call.value() - Missing error handling of external calls - Erroneous control flow assumptions after external calls - The use of push over pull for external calls - Lack of enforcement of invariants with assert() and require() - Rounding errors in integer division - Fallback functions with higher gas limit than 2300 - Functions and state variables without explicitly visibility - Missing pragmas to for compiler version - Race conditions, such as contract Reentrancy - Transaction front running - Timestamp dependence - Integer overflow and underflow - Code blocks that consumes a non-constant amount of gas, that grows over block gas limit. - Denial of Service attacks - Suspicious code or underhanded code. - Error prone code constructs - Race conditions © 2017 Coinspect DRAFT/2
4.
4. Findings The list
of issues found follows. 4.1. Problems in the ERC-20 specification Low Risk Increasing an allowance with approve() presents a race condition because of the non-atomic implementation of the read and write operations [1]. If the allowed tokens are consumed just before the new allowance is confirmed, then the sender may end up allowing more than the double of the expected allowance of tokens. Recommendation Add the methods increaseApproval() and decreaseApproval() to the ProxyAsset contract, using as a template the implementations in the OpenZeppelin library [2]. [1] https://github.com/ethereum/EIPs/issues/20#issuecomment-263524729 [2] https://github.com/OpenZeppelin/zeppelin-solidity/blob/master/contracts/token/StandardToken.sol#L70 4.2. Race condition after AssetWithWhitelist contract creation Low Risk When an AssetWithWhitelist is created, it has no “admin” role, no whitelisted addresses, and not transfer restriction because restrictionExpiraton is set to zero. Therefore there is always a window of time after creation when tokens can be transferred without whitelisting. Recommendation It is recommended that restrictionExpiraton is set to 0xff...ff upon contract creation to prevent unexpected transfers. Also it’s important that a contract creation checklist includes the setup of the “admin” role and the setup of the final restrictionExpiraton value. 4.3. No public visibility modifiers for public methods Low Risk Solidity methods are public by default. However it’s a good programming practice to inform this to the reader by adding the “public” visibility modifier to function definitions to prevent confusions. © 2017 Coinspect DRAFT/3
5.
Recommendation Add the “public”
visibility modifiers to public methods. 4.4. Use of Solidity versions prior 0.4.18 Low Risk Solidity has fixed several vulnerabilities between release 0.4.8 an the release 0.4.18 [3]. The Ambisafe contracts were compiler with version 0.4.8 or 0.4.15, therefore they may be affected by these vulnerabilities. We analyzed each of the documented vulnerabilities and we believe the contracts are not affected. However, a small risk that other undocumented vulnerabilities are present in old releases of the compiler. [3] http://solidity.readthedocs.io/en/develop/bugs.html Recommendation If possible, re-deploy the Ambisafe contracts, recompiled with the last Solidity release. If not possible, execute test cases for each possible code path. 4.5. Opt-out upgrade Low Risk The owner of an Asset can propose an upgrade, completely changing the back-end logic of an asset. Upgrading is opt-out, meaning that the asset is upgraded by default if users do not out-out. Proposing an upgrade generates an event (UpgradeProposal), but it's not clear how token holders will be notified of the proposal on time. The window for commitment of the upgrade is only 3 days, so an upgrade could go undetected by the community. Recommendation Document in the Talla whitepaper the fact that the token has an upgrade system so users are aware they may need to decide to opt-out. Upgradeability should be a property that can be turned off forever by the owner of an Asset, if there is no plan to use it. 5.Closing Remarks It has been a pleasure to work with Talla. We believe that the Ambisafe contracts are free from critical defects. The scope of the present security audit is limited to smart contract code. It does © 2017 Coinspect DRAFT/4
6.
not cover the
technologies and designs related to these smart contracts, nor the frameworks and wallets that communicate with the contracts, nor the operational security of the company that created and will deploy the audited contracts. This document should not be read as investment or legal advice. © 2017 Coinspect DRAFT/5
Download now