Sparkle Smart Contracts Audit Report

Abhishek Sharma
Apr 8, 2019 · 6 min read

We’ve been asked by the sparkle team to review and audit their smart contracts.

We at QuillAudits are a team of blockchain developers , consultants and security auditors , trying to build a more secure and safe community in the Blockchain space. QuillAudits, QuillHash Smart Contracts Security Audit platform ensures the reliability of your smart contract by complete assessment of your system’s architecture and your smart contract code-base.

by QuillAudits, February 2019

Introduction :

This Audit Report highlights the overall security of SPARKLE Smart Contract. With this report, we have tried to ensure the reliability of their smart contract by complete assessment of their system’s architecture and the smart contract code-base.

Auditing Approach and Methodologies applied :

Quillhash team has performed thorough testing of the project starting with analyzing the code design patterns in which we reviewed the smart contract architecture to ensure it is structured and safe use of third party smart contracts and libraries.

Our team then performed a formal line by line inspection of the Smart Contract in order to find any potential issue like race conditions, transaction-ordering dependence, timestamp dependence, and denial of service attacks.

In the Unit testing Phase we coded/conducted Custom unit tests written for each function in the contract to verify that each function works as expected. In Automated Testing, We tested the Smart Contract with our in-house developed tools to identify vulnerabilities and security flaws.

The code was tested in collaboration of our multiple team members and this included -

  1. Testing the functionality of the Smart Contract to determine proper logic has been followed throughout.
  2. Analyzing the complexity of the code by thorough, manual review of the code, line-by-line.
  3. Deploying the code on test-net using multiple clients to run live tests
  4. Analyzing failure preparations to check how the Smart Contract performs in case of bugs and vulnerabilities.
  5. Checking whether all the libraries used in the code are on the latest version.
  6. Analyzing the security of the on-chain data.

Audit Details

  • Project Name: SPARKLE
  • Client Name: Jonah Glasgow
  • Languages: Solidity(Smart contract), JavaScript(Unit Testing)

Summary of Sparkle Smart Contract :

QuillAudits conducted a security audit of a smart contract of Sparkle mobile. Sparkle contract is used to create the Erc20 token which is sparkle token, Smart contract contain basic functionalities of ERC20 token with total supply of 70 million.

Audit Goals

The focus of the audit was to verify that the smart contract system is secure, resilient and working according to its specifications. The audit activities can be grouped in the following three categories:

Security: Identifying security related issues within each contract and within the system of contracts.

Sound Architecture: Evaluation of the architecture of this system through the lens of established smart contract best practices and general software best practices.

Code Correctness and Quality: A full review of the contract source code. The primary areas of focus include:

Correctness

Readability

Sections of code with high complexity

Quantity and quality of test coverage

Security Level references :

Every issue in this report was assigned a severity level from the following:

High severity issues will bring problems and should be fixed.

Medium severity issues could potentially bring problems and should eventually be fixed.

Low severity issues are minor details and warnings that can remain unfixed but would be better fixed at some point in the future.

High severity issues:-

No High Severity Issue.

Medium Severity Issues:-

1._burnFrom(address,uint256) of sparkle token contract is declared as internal function and doesn’t called from any other function.

Usage of this function is defined as :

“if any ethereum address is allowed to transfer token on the behalf of other account, the allowed ethereum address can burn tokens.

_burnFrom function further call _burn() function which is also declared internally.

Either use the _burnFrom() defined in smart contract or remove both functions from smart contract.

To use _burnFrom function declare function as a public function

_burnFrom(address,uint256) internal

USE:

_burnFrom(address,uint256) public

Status : Not considered as an Issue because _burnFrom is not a functionality needed by Sparkle contract, smart contract is already deployed on main-net.

2. Smart contract doesn’t have functionality to pause smart contract is case of any attack or bug found in smart contract, pause function will stop all the functionalities of smart contract i.e transfer(), transferFrom().

Use pausable library to stop or restart smart contract functionalities.

Status : Not considered as an Issue because contract doesn’t have use case to stop or restart.

Low Severity Issues:-

  1. Solidity naming conventions is not followed while declaring variables.

Use solidity naming conventions to declare variables, identifiers, functions in smart contract.

Slither Tool result

Unit Testing

Test Suite

Contract: Sparkle

✓ Should correctly initialize constructor values of Sparkle Token Contract (379ms)

✓ Should check the Total Supply of Sparkle Tokens

✓ Should check the Name of a token of sparkle contract

✓ Should check the symbol of a token of sparkle contract (46ms)

✓ Should check the decimal of a token of sparkle contract

✓ Should check the Owner of a sparkle token contract (42ms)

✓ Should check caller is Owner (47ms)

✓ Should check if caller is owner or not when called from Non Owner Account (38ms)

✓ Should check the balance of a Owner (39ms)

✓ Should check the balance of a Owner

✓ Should be able to transfer tokens to accounts[1] (277ms)

✓ Should Not be able to transfer tokens from accounts[1] to another account, more than balance of account[1] (135ms)

✓ should Approve address[3] to spend specific token on the behalf of owner (83ms)

✓ should increase allowance of address[3] to spend specific token on the behalf of owner (165ms)

✓ Should Not be able to transfer tokens approved by Owner to accounts[3] more than owner have (198ms)

✓ should decrease allowance of address[3] to spend specific token on the behalf of owner (133ms)

✓ Should be able to transfer tokens approved by Owner to accounts[3] (325ms)

✓ Should Not be able to transfer ownership of Sparkle token Contract from Non Owner Account (77ms)

✓ Should be able to transfer ownership of Sparkle token Contract (162ms)

✓ Should Not be able to Reannouance ownership of Sparkle token Contract from Non Owner Account (137ms)

✓ Should be able to reannouance ownership of Sparkle token Contract (234ms).

Final Result of Test:

✓ 21 Passing (3s) PASSED

❌ 0 Failed

Coverage Report :

coverage report result
code doesn’t covered in coverage report

Implementation Recommendations :

  • Use case of smart contract is very well designed and Implemented.
  • Use pausable library to stop functionalities of smart contract in case of attack on smart contract.
  • Remove unused functions from smart contract.

Comments:

Overall, the code is clearly written, and demonstrates effective use of abstraction, separation of concerns, and modularity. Sparkle development team demonstrated high technical capabilities, both in the design of the architecture and in the implementation.

All the Issues either solved or not considered as an issue by sparkle Team, Sparkle Token contract is deployed on main Network and sparkle development team decided not to redeploy smart contract as no critical issue is find in smart contract.

Transaction hashes

Network : rinkeby

Contract creation : 0x7cbf21bcc74dafbfbd7ca2778d5b61161f1067dc502538982b959e0a87a77e67Transfer tokens : 0x409a729cab843c5ee720ad86b88f40ec9b520fd2671854469884c870deddc0f3Approve : 0x7aeac8eff87b8815c964ce68ec2278d34f2c14cc9bd51add28be19b97dce836eSend ether to token contract (Should fail ): 0xfdbdc56b2ccb70a01d9ea36dc21524786fcb827f3afd92381207c0d070967b58transferFrom :0x1a86021c70b6c81c850fb495ca7769c458d7835fc2e477934c567587fa4b77aadecreaseAllowance : 0x510a9ff37e1f327756b006f03937c038dfa6d7ee858204609637909f69c21e5ftransferOwnership : 0x7aeab02eee7bcdee921249c904db70b17c9d7e9cc428cf737d81b68fe9e98297increaseAllowance : 0x01b19cc8a2850a6e5198436cecd0dbd5be57b1f62a59be3946052dc23aebf205RenounceOwnership : 0x31dd3ed478545ea9a175cbf5ae66a41ca2780e07fac066c338e42000bf67079c

You can request for Audit by filling a form :

https://quillhash.typeform.com/to/KQ5Hhm

To be up to date with our work, Join Our Community :-

Website | Medium| Telegram | Twitter | Facebook

QuillHash

Delivering Enterprise-grade blockchain technology to…

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store