henry.ericson.1978@gmail.com

Line 83 of CoinvestToken.sol: Gas requirement of function CoinvestToken.name() unknown or not constant. If the gas requirement is higher than the block gas limit, it cannot be executed. Please avoid loops in your functions or actions that modify large areas of storage.

henry.ericson.1978@gmail.com

donnie.darko.jr@gmail.com

it is better to use an anonymous and untracked blockchain xmr method when transacting, by combining the properties of bitcoins that are easy to trace while transacting. you may use both of them for your consumer's purposes, for a bank's consumer it may be appropriate to use the blockchain character of bitcoin to leave evidence of transfer, and for a consumer who wants anonymous identity suitable for using blockchain monero or xmr. hopefully coinvest more advanced

Website is vulnerable for a "clickjacking attack", because no X-Frame-Options header was returned from the server. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never wanted to click on.

anupthapa1424@gmail.com

Your page does not contain any H1 headings. H1 headings help indicate the important topics of your page to search engines. While less important than good meta-titles and descriptions, H1 headings may still help define the topic of your page to search engines.

i.kopestpanda@gmail.com

Dear Coinvest team,

I am writing you concerning research I have made regarding the security level of the code available on your repository. I hereby hope the material I can provide can be of any help to you and your project.

The main issue I would like to point out is found in the Investment contract. The Invest() function contains a high number of arithmetic and boolean operations. Those operations used in the context of smart contracts could result in unpredictable behavior in the case of a mutated instance of a smart contract in the EVM. This can be particularly impactful since the primary activity is investing. I have found an open issue on the Solidity repository addressing this topic :

https://github.com/ethereum/solidity/issues/1172

It points out that there is currently no existing framework that can allow developers to ensure mutation resiliency since the Solidity compiler cannot produce bytecode including mutated primitives and operations for the EVM. Full-proof mutation testing would ensure that at least one of the unitary tests targetting the Invest() function detects each possible mutation. This could guarantee high robustness and security since the arithmetic mutations could not result in erroneous transactions in the distributed consensus.

As this article mentions (cf section "Solidity") :

https://blog.ethereum.org/2017/07/08/roundup_q2/

There exists a new feature that allows one to export the full AST with type annotations. Unfortunately, mutating and reintegrating it is currently not natively implemented. Therefore, it is still impossible to guarantee mutation resiliency with an existing tool. I have researched for such tool/framework for solidity, but have not found any relevant solutions.

Therefore, the current state of development of EVM and Solidity would not enable mutation testing for the Invest() function as such. I do not know the exact nature of your testing process, but I have worked on mutation testing in the past and I think I could provide you an "educated advice", or at least a little educated.

In the following document :

http://www.inf.ed.ac.uk/teaching/courses/st/2011-12/Resource-folder/09_mutation.pdf

It is stated that this kind of testing can be performed to mitigate effects of bytecode transformations as mentioned above. Since production of mutants would require for your team to either wait for or develop a mutation parser and generator yourself, I believe it would be more cost-efficient for your team to focus on workarounds that provide the closest equivalents.

For that matter, I would suggest a simple modification in the Invest() function, and more generally in the entire code itself that could help increase the robustness of your contracts. Since mutations that effectively infect a program strongly disrupt the code areas that perform arithmetic operations or boolean comparisons (==, +, /, <, <=, ...), there is a higher chance of capturing defects by adding very frequent assertions.

For example, at line 93 of Investment.sol, there is an additive iteration for the investAmount variable. It could improve the security level of the program to assert that after each addition the variable value does actually correspond to the amount s.t. in case the "+=" has mutated to "=" or anything else, the disruption is detected and the function can handle it.

I hope that I have been able to help you in any way, and that your project continues on it's good way.

Best regards,

Igor Kopestenski

anupthapa1424@gmail.com

Anup Thapa:
Your page does not contain any H1 headings. H1 headings help indicate the important topics of your page to search engines. While less important than good meta-titles and descriptions, H1 headings may still help define the topic of your page to search engines.

pramodniroula321@gmail.com

rockysalvador03@gmail.com