This is a technical audit for Edgeless crowdsale and token smart contracts. Edgeless is a decentralized casino without a house edge.
This audit scope includes
Token contract (ERC-20)
Multisignature wallet best practices
This audit is purely technical and is not an investment advise.
Investor protection commitment statement
Edgeless team is committed to the investor protection as stated by Tomas Draksas, Edgeless CEO.
“Ethereum has enormous potential”, comments Edgeless CTO, Ignas Mangevicius.
“However every project which deals with financial transactions such as casino requires extreme attention for security. And that’s our top priority, making sure that we implement knowledge that community gained from the past incidents”
I’d like to stress out that Ethereum and blockchain technologies are still young. There are many factors outside the influence of the Edgeless team that may affect Edgeless project and crowdsale. The Edgeless team takes precautions and follows Ethereum development best practices to avoid any known and unknown risks.
Protection of funds
When somebody participates the Edgeless crowdfunding, the underlying smart contract moves ethers to an Ethereum multisignature wallet instantly. This multisignature wallet is a well known contract and the same as shipped with Parity. The multisignature wallet cosigners are a geologically distributed team. They act as a human checkpoint for moving funds around. The human checkpoint is to prevent any steal, smart contract hack or insider fraud attempts.
The funds are protected in the case any issues are found with the smart contracts. Even if the crowdsale or token contracts were to have issues, the Edgeless team could manually issue the tokens.
In the case the ICO does not reach the minimum funding goal, the crowdsale smart contract can automatically issue a refund for all the participants. In this case funds are moved back from the multisignature wallet to the crowdsale contract and the participants can request a refund.
Guaranteed token supply and burn mechanism
At the end of the crowdsale the unsold tokens are burnt. Anyone can trigger the burn mechanism, it does not have to be a team member. No more EDG tokens can be issued.
The Edgeless team internal test suite was not shared with me. I wrote my own automated test suite to ensure the contract functionality matches the Edgeless marketing proposal. Further tests were performed independently by Marco Polci. Thus the smart contracts are vetted out at least three different parties.
Each function and variable of smart contract source code was well commented.
I performed the following 19 tests on the given smart contracts. Test suite is available on Github. The test suite includes the contract versions that were given me for testing.
- Crowdsale test suite. Crowdsale is properly initialized with given parameters.
- Crowdsale test suite. Price tiers match given dates.
- Crowdsale test suite. Dates match given in the project material.
- Crowdsale test suite. Sending ETH successfully buys tokens.
- Crowdsale test suite. User can buy more tokens.
- Crowdsale test suite. Too small buy in gives an error.
- Crowdsale test suite. One cannot out buy the maximum token allocation.
- Crowdsale test suite. One cannot participate to the crowdsale too early.
- Crowdsale test suite. Checking goal reached does nothing unless ICO is over.
- Crowdsale test suite. Checking goal reached closes crowdsale if we are the past end deadline.
- Crowdsale test suite. Crowdsale may not reach its minimum funding goal.
- Crowdsale test suite. Extra tokens are burnt as described as the end of the ICO.
- Crowdsale test suite. Buyer cannot transfer tokens before ICO is over.
- Crowdsale test suite. Refunding failed ICO gives ETH back correctly.
- ERC-20 compatibility test suite Edgeless token satisfies ERC-20 interface.
- ERC-20 compatibility test suite ERC-20 compatible transfer() is available.
- ERC-20 compatibility test suite ERC-20 transfer fails if user exceeds his/her balance.
- ERC-20 compatibility test suite Tokens can be transferred with ECR-20 allowance approval.
- ERC-20 compatibility test suite One cannot transfers more than approved allowance.
- Start is 2017-02-28 15:00:00+00:00
- Deadline 1 is 2017-02-28 16:00:00+00:00
- Deadline 2 is 2017-03-07 16:00:00+00:00
- Deadline 3 is 2017-03-14 16:00:00+00:00
- Deadline 4 is 2017-03-21 16:00:00+00:00
- Token is transferable 2017-03-21 16:00:00+00:00