Edgeless security audit

This is a technical audit for Edgeless crowdsale and token smart contracts. Edgeless is a decentralized casino without a house edge.

Scope

This audit scope includes

• Crowdsale contract
• Token contract (ERC-20)
• Multisignature wallet best practices

This audit is purely technical and is not an investment advise.

Investor protection

Investor protection commitment statement

Edgeless team is committed to the investor protection as stated by Tomas Draksas, Edgeless CEO.

“Ethereum has enormous potential”, comments Edgeless CTO, Ignas Mangevicius.

“However every project which deals with financial transactions such as casino requires extreme attention for security. And that’s our top priority, making sure that we implement knowledge that community gained from the past incidents”

I’d like to stress out that Ethereum and blockchain technologies are still young. There are many factors outside the influence of the Edgeless team that may affect Edgeless project and crowdsale. The Edgeless team takes precautions and follows Ethereum development best practices to avoid any known and unknown risks.

Protection of funds

When somebody participates the Edgeless crowdfunding, the underlying smart contract moves ethers to an Ethereum multisignature wallet instantly. This multisignature wallet is a well known contract and the same as shipped with Parity. The multisignature wallet cosigners are a geologically distributed team. They act as a human checkpoint for moving funds around. The human checkpoint is to prevent any steal, smart contract hack or insider fraud attempts.

The funds are protected in the case any issues are found with the smart contracts. Even if the crowdsale or token contracts were to have issues, the Edgeless team could manually issue the tokens.

Refund mechanism

In the case the ICO does not reach the minimum funding goal, the crowdsale smart contract can automatically issue a refund for all the participants. In this case funds are moved back from the multisignature wallet to the crowdsale contract and the participants can request a refund.

Guaranteed token supply and burn mechanism

At the end of the crowdsale the unsold tokens are burnt. Anyone can trigger the burn mechanism, it does not have to be a team member. No more EDG tokens can be issued.

Testing team

The Edgeless team internal test suite was not shared with me. I wrote my own automated test suite to ensure the contract functionality matches the Edgeless marketing proposal. Further tests were performed independently by Marco Polci. Thus the smart contracts are vetted out at least three different parties.

Code practices

Each function and variable of smart contract source code was well commented.

Performed tests

I performed the following 19 tests on the given smart contracts. Test suite is available on Github. The test suite includes the contract versions that were given me for testing.

• Crowdsale test suite. Crowdsale is properly initialized with given parameters.
• Crowdsale test suite. Price tiers match given dates.
• Crowdsale test suite. Dates match given in the project material.
• Crowdsale test suite. Sending ETH successfully buys tokens.
• Crowdsale test suite. User can buy more tokens.
• Crowdsale test suite. Too small buy in gives an error.
• Crowdsale test suite. One cannot out buy the maximum token allocation.
• Crowdsale test suite. One cannot participate to the crowdsale too early.
• Crowdsale test suite. Checking goal reached does nothing unless ICO is over.
• Crowdsale test suite. Checking goal reached closes crowdsale if we are the past end deadline.
• Crowdsale test suite. Crowdsale may not reach its minimum funding goal.
• Crowdsale test suite. Extra tokens are burnt as described as the end of the ICO.
• Crowdsale test suite. Buyer cannot transfer tokens before ICO is over.
• Crowdsale test suite. Refunding failed ICO gives ETH back correctly.
• ERC-20 compatibility test suite Edgeless token satisfies ERC-20 interface.
• ERC-20 compatibility test suite ERC-20 compatible transfer() is available.
• ERC-20 compatibility test suite ERC-20 transfer fails if user exceeds his/her balance.
• ERC-20 compatibility test suite Tokens can be transferred with ECR-20 allowance approval.
• ERC-20 compatibility test suite One cannot transfers more than approved allowance.

Encoded deadlines

• Start is 2017-02-28 15:00:00+00:00
• Deadline 1 is 2017-02-28 16:00:00+00:00
• Deadline 2 is 2017-03-07 16:00:00+00:00
• Deadline 3 is 2017-03-14 16:00:00+00:00
• Deadline 4 is 2017-03-21 16:00:00+00:00
• Token is transferable 2017-03-21 16:00:00+00:00