Our site is available on the following mirrors:

Smart Contract Code Review and Security Analysis Report

Date: November, 11, 2018

ethebit.io

 

 

 

This document contains confidential information about IT systems and intellectual property of the customer as well as information about potential vulnerabilities and methods of their exploitation.

This confidential information shall be used only internally by the customer and shall not be disclosed to third parties.

 

 

 

Document:

 

 

Name

Smart Contract Code Review and Security Analysis Report for Ethebit

Platform

Ethereum / Solidity

Link

github.com


Introduction

This report presents the findings of the security assessment of Customer`s smart contract and its code review conducted between November 1st, 2018

–November 11th, 2018.

 

Scope

 

The scope of the project is Ethebit smart contract, which can be found on github by link below: https://github.com/Ethebit/Ethebit/blob/master/Ethebit.sol

We have scanned this smart contract for commonly known and more specific vulnerabilities. Here are some of the commonly known vulnerabilities that are considered (the full list includes them but is not limited to them):

  Reentrancy

  Timestamp Dependence

  Gas Limit and Loops

  DoS with (Unexpected) Throw

  DoS with Block Gas Limit

  Transaction-Ordering Dependence

  Byte array vulnerabilities

  Style guide violation

  Transfer forwards all gas

  Malicious libraries

  Compiler version not fixed

  Unchecked external call - Unchecked math

  Unsafe type inference

  Implicit visibility level

 

Executive Summary

Our team performed analysis of code functionality, manual audit and automated checks with solc and remix IDE. All issues found during automated analysis were manually reviewed and applicable vulnerabilities are presented in Audit overview section. General overview is presented in AS-IS section and all found issues can be found in Audit overview section. We found 1 low vulnerabilities in smart contract;


 

 

 

AS-IS overview

 

Ethebit contract manages investment system.

 

Ethebit uses SafeMath library and another Ownable contract in its work.

 

Ownable Contract

 

The Ownable Contract is designed to enable the management of the most important contract functions on behalf of the contract owner.

The Ownable contract contains the onlyOwner modifier and the changeOwner () function. The changeOwner () function is designed to change the address of the wallet of the contract holder. This function is called with the onlyOwner modifier. Thus, it is possible to change the owner of a contract only from under the account of the current owner of the contract.

 

Contract Ethebit can use in its work all the functionality of the Ownable contract. But this is not done.

 

1.  There is not a single function in the Ethebit contract that is called with the onlyOwner modifier.

2.  In the Ethebit contract constructor there is the following line: owner = address (0);

Thus, the contract owner is assigned a zero address.

There can be no real wallet with this address. Those. it will be impossible to enter the real address of the owner of the contract.

 

Ethebit Contract

 

The fallback function calls the function invest() with parameter 0. When the ETH arrives directly at the contract address, the referral system will not work.

 

The invest() function is designed to process incoming ETHs to an investment fund. If the value of the _refLink parameter is more than 100, then the referent will receive a reward. Otherwise, the reward will be received by the technical support team.


 

 

The getBalance () function is designed to calculate the dividends that an investor can receive at a given time. The parameter of the function is the address of the investor’s wallet.

The checkBalance() function is used to view the dividends of the user who called this function. The function has no parameters.

 

The function withdrawProfit() is intended to receive the dividends of the user who called this function. The function has no parameters.

 

The checkWithdrawals() function is intended to display the number of dividends already received by the user. The function has a parameter - the address of the investor.

 

The function checkInvestments() is designed to display the amount of the investor’s deposit. The function has a parameter - the address of the investor.

 

The getMyDeposit() function is designed to receive the deposit of the user who called this function. The function has no parameters.

 

The function makeReferrerProfit() is designed to accrue reward for the referrer. The function has a parameter - reference number.

 

The getMyReferrerProfit() function is designed to receive a referral reward for the user who called this function. The function has no parameters. Remuneration is possible only if the value of the referral amount is greater than the minimum value of 0.01 Ether.

 

The function makeReferralLink() is designed to get the formation of a referral number for the user who called this function. The function has no parameters.

 

The getReferralLink() function is designed to get the value of the referral number for the user who called this function. The function has no parameters.

 

The function checkReferrerBalance() is designed to display the total amount of remuneration for the referrer. The function has a parameter - the address of the referrer.


 

 

 

Audit overview

 

Critical

No critical vulnerabilities were found.

 

 

High

No high severity vulnerabilities were found.

 

 

Medium

No high severity vulnerabilities were found.

 

 

Low

It is not clear why there is an Ownable contract here. Its functionality is not used anywhere. Our team offers to remove this contract.

 

Informational statements

 

Informational statements are audit team findings that doesn’t have any security issues. However, they are presented in report to clarify and outline functionality and business requirements.

 

 

Conclusion

 

Audit report contains all found security vulnerabilities and other issues in the reviewed code.

Overall quality of reviewed contracts is good; however, it contains 1 low vulnerabilities.


 

 

 

Disclaimers

 

The smart contracts given for audit have been analyzed in accordance with the best industry practices at the date of this report, in relation to: cybersecurity vulnerabilities and issues in smart contract source code, the details of which are disclosed in this report, (Source Code); the Source Code compilation, deployment and functionality (performing the intended functions).

 

The audit makes no statements or warranties on security of the code. It also cannot be considered as a sufficient assessment regarding the utility and safety of the code, bugfree status or any other statements of the contract. While we have done our best in conducting the analysis and producing this report, it is important to note that you should not rely on this report only - we recommend proceeding with several independent audits and a public bug bounty program to ensure security of smart contracts.