Shoshin’s audit of CryptoFin’s Bskt smart contract

The Shoshin team performed a security review of CryptoFin’s Bskt smart contract on its initial public release in April 2018. Shoshin was given access to CryptoFin’s GitHub repository and reviewed commit version 2acf674 of the Bskt smart contract source code.

Bskt is an Ethereum smart contract that allows users to compose any number of different Ethereum (ERC20) tokens into a single Bskt token. Similar to an Exchange Traded Fund (ETF), Bskt makes it easy and cost effective to hold a number of ERC20 token while owning only a single token.

No critical security issues were identified in the Bskt smart contract. The Bskt token uses out-of-the-box security constructs already provided in the OpenZeppelin library at its core. The code quality is good with verbose comments and test coverage for all the code blocks. The security issues identified and the attack vectors take advantage of poor or malicious construction of Bskt tokens and are not intrinsic to the smart contract itself.

The discovered exploitable aspects of the Bskt token are through its interactions with other ERC20 tokens. In order to mint and burn Bskt tokens, iterations are made over a list of underlying tokens to external transfer and transferFrom functions, which relies heavily on their compliance with ERC20 standards. This behavior is essential to Bskt token’s functionality, however, leaves some potential attack vectors ranging from denial-of-service and in the extreme case of malicious ETH tokenization — stolen funds.

The Solidity source code of the Bskt smart contract was reviewed. The usage and deployment of the smart contract can also impact the overall security of the token, which was considered during the review, but not a key focus. Due to time constraints, differential analysis was performed, meaning previously-audited libraries (OpenZeppelin token and Gnosis multisig contracts) were considered secure and out of scope for this security review.

The full audit report can be downloaded here.