By Mikko Ohtamaa a year ago.
Update: As stated in the original blog post below, this was not the full audit of overall project. The second part of the audit was never complete. The HKG team did not follow given advises regarding having a halt function as a safety mechanism, having better documentation and code quality, having repeatable test suite and continuous integration tests. These factors, being part of normal professional software development best practices, would most likely prevented or mitigated issues of HKG token code errors that were caused by low overall code quality. After a breakdown in the communications with the HKG team and their inability to provide a repeatable test suite the audit was aborted.
The original blog post below:
I offered my help for Virtual Accelerator project to review their smart contract for HackerGold (HKG) crowdsale. This was after being hat tipped by my friends that I should take a look on this. The purpose of this review is to have an independent auditor to go through HackerGold crowdsale technical process and ensure it’s solid.
Included in the review scope
- Review the smart contract used to raise funds and create HackerGold (HKG) tokens
Excluded from the review
The smart contracts for Virtual Accelerator project outside the fund raise (DSTContract and related). The development on these contracts continues after the fund raise and there is no direct dependency between to DST from the HKG contract. The authors asked me to continue the audit process for these contracts alongside the ongoing software development.
Any investment advice regarding Virtual Accelerator project
The communication with the authors worked well and promptly in their Slack, despite English not being their native language. The authors pressed the fact that the deadline is imminent and any review should be performed in a narrow timeframe.
I received a link to Github repository 10 days before launch. The reviewed smart contract version was https://github.com/ether-camp/virtual-accelerator/blob/6fd900f87efaeb03e807185c4fc1fe587e4af382/contracts/HackerGold.sol
Smart contract content
Based on standard ERC 20 token – https://github.com/ethereum/EIPs/issues/20
Allow buy HKG token with ETH, based on pricing structure
Any send in Ether is going to be forwarded to the founders multisig wallet. https://github.com/ether-camp/virtual-accelerator/blob/2529ffe5efd5294b44f1bc89dc9a4721a7b16409/contracts/HackerGold.sol#L96
No transfer limits – token is liquid since day 0
The hard cap is set 4000000 ether (47M USD). This is the highest known smart contract ICO cap by Q3/2016.
There is no built-in crowdsale halt function in the case this has to be done for the safety mechanism. There is no built-in crowdsale refund in the case this has to be done for the safety mechanism, though this can be addressed manually, off the contract. The team explains it is willing the follow the predefined constraints and announce the procedure during the time of the launch.
The HKG smart contract code is based on ERC 20 standard. The code was partially commented.
There was no publicly documented process for the software development. A process should be established for Virtual Accelerator contracts as there will be more contracts that are more complex. The Ether.camp authors mention that they have been doing the smart contract development for three years and they have an internal software development process. The internal software development process is available for the discussion, but it was not available as documented for this audit.
Terms of service process
The crowdsale participants need to go through a click through agreement on the crowdsale website to be able to participate the crowdsale. This process ensures the participants are aware of the risks participating the crowdsale and lessens the risk of legal implications. The terms of service text was not reviewed during this audit.
The repository did not have a documented process to run the test suite or an automated continuous integration system. However, the authors helped to get to the point the tests ran correctly. The test suite was not very well commented, but test names gave some idea what was tested out. Unfortunately Solidity, Ethereum smart contract language, does not have a tools for automatic code coverage analysis yet, so this could not be measured, but it should be 100% based on rough manual inspection.
Test suite was based on https://github.com/ether-camp/ethereum-testing-reference
The test followed logic review guides as descibed in http://ethereum.stackexchange.com/questions/8551/methodological-security-review-of-a-smart-contract
A Github pull request was created with comments of review issues.
Investing in ICOs
This post is not an investment advice. This is not a full review of Virtual Accelerator project.
When investing in ICOs please follow the responsible investor guidelines.