The Everus team asked us to review and audit their Everus Token (EVR) contract. We looked at the code and now publish our results.
The audited code is located in the EverusWorld/Contracts repository. The version used for this report is commit 41cd2da8382225b5f6e5eebd5eafae9dc9ae1b85
.
Here’s our assessment and recommendations, in order of importance.
No issues of critical severity.
No issues of high severity.
No issues of medium severity.
call
The implementation of approveAndCall
is using a low level call
to invoke a function on another contract. A comment explains this is “so one doesn’t have to include a contract in here just for this”. We would actually strongly recommend including the extra contract, and replacing the usage of call
for a Solidity function call. Manually crafting the function signature is highly error prone, and on top of that, the arguments are not typechecked. Consider adding an abstract contract with the receiveApproval
function declared, and using it to implement approveAndCall
.
It is recommended, in the ERC20 spec, to emit a Transfer
event with the source (_from
) set to 0x0
when minting new tokens. This enhances user experience by allowing applications such as Etherscan to learn of the new token holders. In this case this is only relevant for the constructor, where the initial balance is assigned to the contract creator. Nonetheless, consider emitting the corresponding event: Transfer(0x0, msg.sender, _initialAmount)
.
HumanStandardToken
from ConsenSys.revert
call is not needed, as Solidity contracts will by default not accept payments.approve
/transferFrom
functionality of ERC20 tokens, described here. Consider implementing one of the proposed mitigations, or using the ERC20 implementation from OpenZeppelin which already has one in place.No critical or high severity issues were found. Some small changes were proposed to follow best practices and reduce potential attack surface.
Note that as of the date of publishing, the above review reflects the current understanding of known security patterns as they relate to the Everus Token contract. We have not reviewed the related Everus project. The above should not be construed as investment advice. For general information about smart contract security, check out our thoughts here.