Tierion Network Token Audit - OpenZeppelin blog

The Tierion team asked us to review and audit their Tierion Network Token (TNT) contract. We looked at the code and now publish our results.

The audited contract is in the file TierionNetworkToken.sol with SHA1 hash 8446b31466c20c18ec2ec1b1f91a4643b4d4f167.

Good job using OpenZeppelin to write minimal extra code. The documentation is very good and there are thorough integration tests.

Here’s our assessment and recommendations, in order of importance.

Update: The Tierion team followed our rec0mmendations and updated the contract, now with SHA1 hash cb389abaea20708899e373b913e7ee0fdd6e0768.

Critical Severity

No critical issues were found.

Low Severity

• According to the ERC20 standard the decimals variable (defined in line 31) should be of type uint8.
  Update: This was fixed in the latest version.

Notes and Additional Information

• Good job defining INITIAL_SUPPLY in terms of decimals.
• Giving a name to the smallest transferable unit of a token, in your case grain, is a great idea. It eliminates a common ambiguity when talking about token amounts. More projects should do this.
• If you are going to distribute the tokens manually via transfer, keep in mind that token holders will be able to make transfers themselves during the distribution. If you wish to audit the distribution afterwards to ensure it was done correctly, look for the Transfer events instead of balances.

Conclusion

Using OpenZeppelin led to very little custom code written, and no security issues were found in this code. Only one change was suggested, and some small observations were made.

Note that as of the date of publishing, the above review reflects the current understanding of known security patterns as they relate to the Tierion Network Token contract. We have not reviewed the related Tierion project. The above should not be construed as investment advice. For general information about smart contract security, check out our thoughts here.