trade.io get their ICO off to a smart start

The team over at trade.io launched their “Trade Token” ICO on Ethereum on 7th December. Business has been brisk, with early investors taking advantage of the lower prices for these ERC-20 compliant tokens. Further price increases are scheduled before the ICO closes on 4th January 2018.

Thankfully, trade.io took the sensible precaution of getting their smart contract carefully vetted before they went live. They asked our expert ICO security team to audit their Trade Token contracts to uncover any vulnerabilities, logical flaws or other code errors that might put their platform, funds and investors at risk.

A high quality contract

Our team performed detailed source code analysis of two Trade Token smart contracts, TIOToken and TIOCrowdsale, along with simulations of a real-world attacks to test their security provisions.

We didn’t find any vulnerabilities and our recommendations covered just a few points of best-practice. You can get the full details below.

This clean bill of health is great news for the trade.io team as well as their investors. Once again highlighting the importance of making smart contract security a top priority for every ICO.

The detailed lowdown on Trade.io

Here’s the fine print on our analysis: The audited contracts are held in the trade-io/Tradeio-TokenSale-Contract Github repository. The version used for this report is the commit f5c14561dcf37c0508554499a8de23fd134e0528.

The TIOToken contract is built on top of Majoolr’s TokenLib library with minimal additions. We found no vulnerabilities. Minor recommendations included:

  • Keep in mind that ERC20 standard has a possible attack vector on approve/transferFrom methods described here;
  • Consider making approveChange from TokenLib callable in TIOToken to avoid possible double spend attack;
  • Consider checking that _to argument is not equal to 0x0 in transfer and transferFrom functions in TokenLib.sol to avoid accidental token transfer to undefined addresses;
  • Consider raising the minimum version of Solidity compiler (currently 0.4.15) to the latest.

The TIOCrowdsale contract is built on top of Majoolr’s CrowdsaleLib library with minimal additions. Again, no vulnerabilities were found and our minor recommendations included:

  • Consider updating the number of tokens that are given per 1 eth to 625 as is stated by the whitepaper (currently 150);
  • Consider updating fallback exchange rate to 400 dollars per 1 eth as of 23.11.2017 (currently 300 dollars);
  • Consider checking error in receivePurchase() function in DirectCrowdsaleLib when subtracting _numTokens from owner’s tokens in withdrawTokensMap;
  • Consider calling setTokens() in setTokenExchangeRate() in CrowdsaleLib to avoid code duplication;
  • Consider raising the minimum version of Solidity compiler (currently 0.4.15) to the latest.


trade.io get their ICO off to a smart start was originally published in ICO Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

This is a Security Bloggers Network syndicated blog post authored by Positive ICO. Read the original post at: ICO Security - Medium