Question on smart contract inheriting from OpenZeppelin ERC777 implementation

The Cryptocurrency project Datamine ($DAM) implements a contract largely built with OpenZeppelin functions. The Datamine project offered a bug bounty of $5,000 for “anyone who is able to identify a major exploit/security vulnerability disclosure involving our smart contracts, namely the ability to gain extra FLUX rewards or withdraw DAM tokens that do not belong to their account”.

A “security researcher” of some nebulous repute allegedly identified a major vulnerability within the Datamine implementation of OpenZeppelin’s smart contract platform, notably that their implementation is open to a Frontrunning vulnerability.

They give a breakdown here: https://librehash.org/auditing-the-flux-smart-token-contract-major-vulnerability-found-5-000-bug-bounty-denied-with-team-also-refusing-to-acknowledge-or-patch-part-one/

The DAM smart contract is located here on Github: https://github.com/Datamine-Crypto/white-paper/blob/master/contracts/dam.sol

Notable area that was highlighted as problematic is beginning at line 960.

Hi @NationalPotato,

This is what I posted on the OpenZeppelin Telegram yesterday in response to a question about this:

Comparing the verified source code of the Flux token (https://etherscan.io/address/0x469eDA64aEd3A3Ad6f868c44564291aA415cB1d9#code) with a vanilla token inheriting from OpenZeppelin Contracts ERC777 implementation it appears that Flux inherits from OpenZeppelin Contracts v3.0.1 with no modification of the OpenZeppelin Contracts code.

Inheriting and extending from OpenZeppelin Contracts is how they should be used and is not plagiarism. The verified source code on Etherscan appropriately lists the license as MIT which is the opensource license used by OpenZeppelin Contracts.

As for the ERC20 approve function, it is part of the ERC20 specification and there is a well-known issue around setting allowances.
The OpenZeppelin Contracts ERC implementations should be compliant with the ERC specifications. Please report any issues on the OpenZeppelin Contracts GitHub repository.

I haven’t looked at the Flux token code beyond the inheritance of the OpenZeppelin Contracts ERC777 implementation.

1 Like

As an aside, the recommended way to use OpenZeppelin Contracts is to import them. (see: Usage).

To keep your system secure, you should always use the installed code as-is, and neither copy-paste it from online sources, nor modify it yourself.

1 Like

Thank you very much for your response!

1 Like

Hi @NationalPotato,

Welcome to the community :wave:

Feel free to ask any questions that you need.