The Tierion team asked us to review and audit their Tierion Network Token (TNT) contract. We looked at the code and now publish our results.
The audited contract is in the file TierionNetworkToken.sol with SHA1 hash 8446b31466c20c18ec2ec1b1f91a4643b4d4f167.
Good job using OpenZeppelin to write minimal extra code. The documentation is very good and there are thorough integration tests.
Here’s our assessment and recommendations, in order of importance.
Update: The Tierion team followed our rec0mmendations and updated the contract, now with SHA1 hash cb389abaea20708899e373b913e7ee0fdd6e0768.
Critical Severity
No critical issues were found.
Low Severity
- According to the ERC20 standard the
decimalsvariable (defined in line 31) should be of typeuint8.
Update: This was fixed in the latest version.
Notes and Additional Information
- Good job defining
INITIAL_SUPPLYin terms ofdecimals. - Giving a name to the smallest transferable unit of a token, in your case grain, is a great idea. It eliminates a common ambiguity when talking about token amounts. More projects should do this.
- If you are going to distribute the tokens manually via
transfer, keep in mind that token holders will be able to make transfers themselves during the distribution. If you wish to audit the distribution afterwards to ensure it was done correctly, look for theTransferevents instead of balances.
Conclusion
Using OpenZeppelin led to very little custom code written, and no security issues were found in this code. Only one change was suggested, and some small observations were made.
Note that as of the date of publishing, the above review reflects the current understanding of known security patterns as they relate to the Tierion Network Token contract. We have not reviewed the related Tierion project. The above should not be construed as investment advice. For general information about smart contract security, check out our thoughts here.
