This is the report from a security audit performed on CORION platform by Dexaran. The audit focused primarily on the fault tolerance of the system. I can conclude that smart-contracts were not in the final state at the time of the audit start, and the changes were applied during the audit process, which made it more time consuming.
The whole system is modular. Contracts are upgradeable. The debug mode allows to intervene into contracts workflow to fix any error during the contracts workflow.Findings
I will not describe each reported issue and each function here because of the size of the contracts. All the work is transparently available on github repo.
In total, 78 issues were reported including 6 critical issues(#1, #2, #3, #4, #5, #6), 2 compiler-related issues (#1, #2), 1 EVM-related issue (#1).In scope announcementTypes.sol ico.sol module.sol moduleHandler.sol owned.sol premium.sol publisher.sol token.sol tokenDB.sol Specification
A version of CORION platform ( commit hash bbb992e14b02d00669c4f4653f0f97a4aacf59d1 ) was deployed on Rinkeby testnet.
Two sessions of bug bounty were launched.Limited time frame
The whole system of CORION smart-contracts is very complex and interaction between contracts is complicated also. Contracts were not in the final state at the time of the audit beginning. Suggested changes were applied during the audit process. The system was not fully covered with automated tests.
As the result it was impossible to test every aspect and fully cover the whole system with tests due to limited time frame.Code readability
Code is hard to read, hard to verify which increases the probability of mistake and makes it harder to track them.Superfluous functionality
The code is complicated by functionality that is not necessary for the workflow of contracts. Since any part of code potentially creates a field ...