Bax Token Audit


The BABB team asked us to review and audit their Bax Token contract. We looked at the code and now publish our results.
The audited code is located in the babbplatform/baxtoken repository. The version used for this report is commit 3ba88dd8fb3a97e6668cf2029b38610283e28c17.
Here is our assessment and recommendations, in order of importance.
Update: The BABB team has followed our recommendations and updated the Bax Token contract. The new version is at commit e55371a30b9432023821a6e2ba2c77a8e1e26994.

Critical severity

No critical issues were found.

High severity

No high severity issues were found.

Medium severity

No medium severity issues were found.

Low severity

Lack of integration tests

The BaxToken makes use of the BurnableToken and CappedToken contracts of the OpenZeppelin framework. Although there are unit tests ensuring their correct behavior within the OpenZeppelin repository, there is no integration test to ensure the BaxToken behaves the way it is expected.
Consider adding integration tests to check BaxToken behavior and initialization.
Update: Fixed in commit ea5268b.

Notes & Additional Information

  • BaxToken uses some OpenZeppelin’s contracts claiming to be version 1.5.0, but there is no such declared dependency in the project. Consider declaring this dependency explicitly following our installation recommendation via the zeppelin-solidity NPM package.
    Update: Fixed in commit be9f106.
  • The 1.5.0 version of the OpenZeppelin framework includes a parameterized ERC20 token contract called DetailedERC20. Consider inheriting BaxToken from it to reuse that functionality.
    Update: Fixed in commit c0fa245.

Conclusion

No critical or high severity issues were found. Some changes were proposed to follow best practices and reduce potential attack surface.
Note that as of the date of publishing, the above review reflects the current understanding of known security patterns as they relate to the Bax Token contracts. We have not reviewed the related BABB project. The above should not be construed as investment advice. For general information about smart contract security, check out our thoughts here.