[DPRating] Github Audit for 200 Blockchain projects — May2018 added Elastos, Alis, SDChain, BitDegree, IPChain
by DPRating team
In this month’s code audit we have made the following improvement:
- This list is released under the collaboration with Redside. Due to the recurring security issues of ERC20 code, in order to assure the security of the token, DPRating worked with Redside to conduct the security audit on Rating and Coinmeet. Redside is a professional code audit agency under Tianhecloud in China. ITs employees include numerous blockchain engineering expert and are one of the first groups to conduct code audit for blockchain projects. through code auditing, code security can be evaluated and potential security vulnerabilities can be discovered and advice for fixing relative issues are provided. Redside is focused on security service and building an experienced, efficient and high-quality tech team. Up till now, Redside has serviced over 200 blockchain projects.
- New projects: Elastos, Alis, SDChain, BitDegree, IPChain, InvestFeed, SophiaTX
- We will soon implement search function for projects’ Github updates on dprating.com
The library address of Rating on Github is: https://github.com/DPRating
The most active code library is the smart contract library “Rating-erc20”.
In order to sassure the effectiveness and security of token Rating,
Redside has audited the code, Rating’s smart contract meets the ERC20 standard, no logic flaw is found. The token has the basic function of searching, transfering and authorizing, the above functions have been examined. The contract can effectively filter out useless parameters and can defend against arithmetic overflow.
There is an admin role in the contract management, the admin can interfere the supply of the token, so far the admin is not authorized to burn the user’s token or retreat tokens from the user, the token is unlikely to. and it’s destructible.
Overall Redside did not find any major security flow in Rating.
Following the bugs of BEC and SMT in April, we have spotted major transaction bugs of EDU and BAIC (both listed on huobi.pro) in May. The reason behind is that the verification code for verifying the authorized amount is missing. In order to prevent similar incidents from happening, we have chosen the project Coinmeet that was also invested by Huobi labs.
Redside has audited the code, Coinmeet’s smart contract meets the ERC20 standard, The token has the basic function of searching, transferring and authorizing, the above functions have been examined. But it does not verify the input of address and amount. It cannot prevent useless parameters conducting meaningless transactions.
In the contract there is no admin role, the additional issue is not possible and users cannot destroy their own token.
In general, no major security flaw is found in the Coinmeet smart contract.
How do we rate?
Popularity of the Library
Popularity of the Library is defined as the mean number of Watch, Star and fork. Very High: > 500, High: between 100 and 500, MediumL between 20 and 100, Low: Below 20.
Number of Contributors
Number of Contributors: The number of contributors that have committed code in the last month. High: More than 12, Medium: between 6 and 12, Low: Below 6.
Release Frequency: We took the version release frequency of Bitcoin and Ethereum, 14.31 days for a new release, as a reference value. We then divide the number of average days spent for a new release by 14.31 to get a release frequency score. High: below 2, Medium: between 2 and 4, Low: above 4.
e.g. The main chain of EOS has been released 35 times from 4/1/2017 to 4/2/2018, for an average of 9.13 days between new releases. This divided by 14.31 is 0.71, so the release frequency of EOS would be considered high.
Type of commit
A1: Continuously, steadily developing new features
A2: Fixing Bugs and testing after new feature developments
A3: Releasing few new features based on initial commitment and changing configurations.
B: Fixing bugs and testing for Devops
C: Changing configuration for Devops
D; Cannot be defined in any above category
The overall rating ranges from 1 to 5
Popularity of the library: 1 point for Very High, 0.5 points for High, no point for Middle or Low;
Number of Contributors: 1 point for High, 0.5 point for Medium, no point for Low
Release frequency: 1 point for High, 0.5 point for Medium, no point for Low
Number of Commits: 1 point for over 200 commits, 0.5 point for between 100 and 200 commits, no point for between 30 and 100 or below 30
Commit type: 1 point for A1 or A2, 0.5 point for A3, no point for B, C and D
Notice that We only audit core libraries. The definition of core library varies for each project.