The BABB team asked us to review and audit their Bax Token contract. We looked at the code and now publish our results.
The audited code is located in the babbplatform/baxtoken repository. The version used for this report is commit 3ba88dd8fb3a97e6668cf2029b38610283e28c17
.
Here is our assessment and recommendations, in order of importance.
Update: The BABB team has followed our recommendations and updated the Bax Token contract. The new version is at commit e55371a30b9432023821a6e2ba2c77a8e1e26994
.
Critical severity
No critical issues were found.
High severity
No high severity issues were found.
Medium severity
No medium severity issues were found.
Low severity
Lack of integration tests
The BaxToken
makes use of the BurnableToken
and CappedToken
contracts of the OpenZeppelin framework. Although there are unit tests ensuring their correct behavior within the OpenZeppelin repository, there is no integration test to ensure the BaxToken
behaves the way it is expected.
Consider adding integration tests to check BaxToken
behavior and initialization.
Update: Fixed in commit ea5268b
.
Notes & Additional Information
BaxToken
uses some OpenZeppelin’s contracts claiming to be version 1.5.0, but there is no such declared dependency in the project. Consider declaring this dependency explicitly following our installation recommendation via the zeppelin-solidity NPM package.
Update: Fixed in commitbe9f106
.- The 1.5.0 version of the OpenZeppelin framework includes a parameterized ERC20 token contract called
DetailedERC20
. Consider inheritingBaxToken
from it to reuse that functionality.
Update: Fixed in commitc0fa245
.
Conclusion
No critical or high severity issues were found. Some changes were proposed to follow best practices and reduce potential attack surface.
_Note that as of the date of publishing, the above review reflects the current understanding of known security patterns as they relate to the Bax Token contracts. We have not reviewed the related BABB project. The above should not be construed as investment advice. For general information about smart contract security, check out our thoughts here.