Releases: CoMakery/algorand-security-token
Releases · CoMakery/algorand-security-token
v1.0.0 Audited Smart Contract
Release candidate v0.9.1
QuantStamp Security Audit Remediation
Here is a link to the diff showing all changes from the original v0.9.0 version that was audited and this new release candidate.
| ID | Description | Resolution |
|---|---|---|
| QSP1 | Frozen And Locked Accounts Can Receive Transfers | This is as designed. See Updated Q&A for the reasoning behind this design. |
| QSP2 | Unchecked Account Max Balance When Minting | Fixed. See PyTeal security_token.py |
| QSP3 | Admin Can Remove Himself | Fixed. See PyTeal security_token.py |
| QSP4 | Incorrect Total Supply Notion | Addressed. See PyTeal security_token.py |
| QSP5 | Users Could Have Their Tokens Burnt | Further Q&A Documentation with Multi-Sig recommendation |
| QSP6 | Poor Code Documentation | Extensive PyTeal Comments Added. More README documentation. |
| QSP7 | Contract Admin Cannot Freeze Accounts | After additional security review the Roles have been made more granular to enforce the principle of least authority more strongly. The contract admin's role is intentionally limited so that this key can be moved to cold storage, have more restrictive Algorand multi-signature keys and be accessed very rarely. See updated Q&A, The Roles Matrix, the list of Application Functions and the updated PyTeal grantRoles function. |
| QSP8 | Pending Standardization | Functions have been renamed to match the OpenZeppelin implementation of the ERC20 standard where possible. The function names now use camel case. name, cap symbol, decimals, transfer, mint, burn and totalSupply are used. totalSupply behaves as expected with tokensSupply increasing after mint and decreasing after burn. Some ERC-1404 behavior is referenced as possible within the Algorand TEAL smart contract system. See Updated Q&A |
| QSP9 | Missing Functions | See Updated Q&A explaining why the ERC20 approve() and transferFrom() functions are not appropriate for Algorand. |
Additional Comments
- A "detect" transfer restrictions function has been added to match the ERC-1404 standard. The title is shorter than
detectTransferRestrictionfunction because the Algorand TEAL 1000 bytes compiled contract limitation applies to the length of function names. - Many additional tests have been written.
- Tests now run on GitHub CI
- https://github.com/CoMakery/algorand-security-token/blob/master/.github/workflows/tests.yml demonstrates how a private network development environment can be setup for local testing.
- Documentation clarifies Txn.accounts[n], Txn.sender(), Txn.accounts.length() and tealdbg values
- Teal contract deployment memory allocation clarified
- Guidance on how to check TEAL compiled contract size does not exceed 1000 bytes. This is now checked on CI as well.
Pre Release For Auditing
Feature freeze for auditing. This release does not incorporate feedback from auditing and is not production ready.