Introduction

PeckShield provides a comprehensive security service to audit tradable tokens. According to PeckShield Security Rating Model (PSRM), the security ratings of tokens are calculated based on the severity of vulnerabilities discovered from their corresponding smart contracts. Investors and exchanges are advised to pay attention to tokens with low security ratings, especially those below B, which may lead to serious financial damages if being exploited.

Announcement

We have been being contacted by several teams for the detailed information, and some security issues with high risks have been fixed after the collaboration. We then adjusted the ratings and rankings accordingly, as follows:

  1. • Aug 20, we have confirmed that the high-risk bugs in the latest contract of SWFTC had been fixed by setting the privileged address to 0x0. The rating was updated from F to B;
  2. • Aug 20, we have comfirmed that the high-risk bugs in the latest contract of INT had been fixed by setting the privileged address to 0x0. The rating was updated from F to B.

Basic Rules of PeckShield Security Rating Model

The auditing results are summarized and modelled in accordance with the following rules:

  1. • Tokens with critical or high level vulnerabilities would be rated as F, which were highly vulnerable and might lead to huge losses to investors and exchanges;
  2. • Tokens with medium or low level vulnerabilities would be rated from A- to D depending on the type and number of vulnerabilities, as follows:
    • · The full score 10 is labelled as A, scores under 6 are labelled as F, and there exists 7 grades between A and F, i.e., A-, B, B-, C, C-, D and D-;
    • · Subtract 1 point for each medium level vulnerability, and the cumulative subtraction shall not exceed 3 points;
    • · Subtract 0.5 point for low level vulnerabilities being detected.
  3. • The rating of a token would be downgraded by one level if its smart contract had not been verified by etherscan.io;
  4. • Tokens rated as B or lower might be under the risk of being exploited.

Methodology

To standardize the evalution, we define the following terminology based on OWASP Risk Rating Methodology:


Likelihood and impact are categorised into three ratings: high, medium and low respectively. Severity is determined by likelihood and impact and can be classified into four categories accordingly, i.e. Critical, High, Medium, Low shown in the table below.