⇐ Back to the beginning of the blog

Skyfchain ICO: review, audit

This report contains an audit of ICO Skyfchain, conducted in CryptoB2B on July 30, 2018. Were studied the smart cotract, methods of collecting money, protecting investors rights, honesty and publicity of the process. As a result, gross violations of any aspects of the ICO have been identified. For example, the collection of money is carried out in suspicious locations, there are facts of a huge software wind up of monetary transactions, a smart contract is announced, but it is only a screen and in fact does not take any part in the ICO. Overall technical level of the project: extremely bad.

img 5b5e713cc0d88 - Skyfchain ICO: review, audit

Smart Contract

Addresses related to ICO:

A smart contract contains an infinitely large number of ways, when the founder (if desired) can select / not pay tokens to the investor, and also keep as many of the tokens within Hardcap as he want. Usually such ICOs are classified as fake, where tokens are once emitted into the founder’s wallet and then somehow distributed. Several cosmetic techniques have been added here, somehow ennobling such a gross violation of the rights of the investor.

A smart contract creates 100% of tokens for different wallets at once:

  •         528 million – wallet “for ICO sale”
  •         18 million – wallet “bounty”
  •         240 million – wallet “team”
  •         120 million – wallet “community development”
  •         180 million – wallet “network development”, partly with freezing for 2 years, partly with the ability to take them immediately
  •         114 million – wallet “reserve” with a freezing for about 1 year

Further, it is supposed to somehow bypass some management systems to raise money (and not a smart contract), and after payments it is supposed to transfer tokens from the personal wallet of the founder (with 528 million tokens) to the next investor in the volume of its acquisition.

At the end of the ICO, it is assumed that the founder must call the finalize () function and burn the remaining tokens.

The simplest thing you can think of is that the founder does NOT call the finalize function and all the remaining tokens remain to him. No way to force the founder to do this – no. In normal systems, when the collection of money carries out a smart contract on its account, the founder is forced to call finalize if he wants to receive money from this contract. The similar logic of the smart contract work stands next:

  • The developer of the smart contract and the founders of the project viciously scoff at the ideology of the blockchain, where no one should promise anything to anyone. The phrase “We promise to burn unsold tokens” is a profanation of the idea of the blockchain and demonstrate to everyone how and how wrong the founder imagines the ICO, the procedure of honest exchange of money for tokens, and protection of investors rights.
  • It seems that at least Hardcap on tokens of 1.2 billion can not be overcome / faked. However, such deception is easy, if the founder wants. Investors at the time of payment send money to extraneous addresses (not to the address of the discussed smart contract). Therefore, in response to them, you can send absolutely any tokens, from another smart contract.
  • In the interval between the creation of 528 million tokens in the wallet “For sale at ICO” and until the finalization there are no checks and controls what the founder does. Even if the founder calls finalize (), but until that moment the founder could take as many tokens as he wished. This would indirectly leave more tokens than is required for all other types of wallets.
  • The list continues to be meaningless, because the founder conducts the ICO bypassing the smart contract and is therefore not limited by any limits. If there was some code in a smart contract that could be studied, an audit would be done. The current situation is characterized by virtually no code, which makes its audit simply impossible. The code that is given on the link is a simple screen and does not have any relation to the ICO.

Transaction analysis https://etherscan.io/txs?a=0x5dd0815a4cf119ad91ba045bbbf879f3f7de3c68& states, that there is mainly used the distribution of tokens for AirDrop and other marketing programs.

Each transaction uses 1 token address. The smart contract developer has such a low qualification that he does not suspect the existence of arrays and the ability to send tokens at once to 100-200 recipients in one operation. This number of transactions is meaningless and harmful for Ethereum – they do nothing, hammering the lock with garbage in the style of CryptoKitties.


On other sites was found information that the project has Softcap. It’s a lie, it’s missing. On the website of the project information is also not there. Other auditors can use the archive.org site to find out how the founders of the project announced the ICO at the beginning of the fees and whether there is anything suspicious here.

 

Investors Rights

Unfortunately, unlike the infinitely large rights of the founder, investors have the same zero rights. And, because of the lack of code, it is impossible to point out specific violations of rights, everything can happen:

  • the procedure for obtaining money is entirely not related to the charging of tokens
  • the founder does the charging of tokens solely on his own will and can choose any bonuses at the same time
  • investors have no guarantee that other investors (or founders) have not received tokens for critically unprofitable at the first price / bonus
  • the larger transfer a big investor will do, the more he can count on a larger bonus in the negotiation process (we recall that the smart contract that regulates it is not available at all, you can trade like in the market)
  • the investor can not defend himself or find out exactly which amount of tokens after the end of the ICO are left by the founder

Enumerate threats to the investor does not make sense because of the actual absence of a smart contract, which somehow organizes the process of selling tokens.

 

Collecting money method

As noted, the money goes past a smart contract. Individual addresses for BTC are used:

img 5b5e6abbea523 - Skyfchain ICO: review, audit

When checking the blockchain transactions – they are not there, i.e. the collection does go to the personal address created for each investor.

When the Personal Cabinet issues an individual wallet (not a general wallet) for payment to the investor, it does not have any tools to check whether this is correct. When the fees go to a single wallet for each blockchain, then before payment it can be checked – in the telegram channel of the project, in the almost dead Bitcointalk, in White paper, in other places.

If one of the following occurs:

  • hacker completely changed the algorithm for generating all the wallets and private keys to them
  • hacker selectively replace wallets to investors, so that he is not immediately been caught
  • disloyal employee (programmer) or other persons (employees of the hoster) do the same (mass or secret substitution, little by little)
  • the programmer unintentionally broke the algorithm for issuing wallets (either massively or selectively)
  • the programmer / founder lost the base of the private keys of the created wallets (if they are generated not by the basic BIP32 Root Key or analog)

then the investor will not be able to protect himself from this. Even with all his desire, such methods of organizing the Personal Cabinet are a bad practice associated with facilitating the programmer’s work on identifying payments (roughly speaking, this is due to laziness, inexperience of developers, cheap product, total disregard for the need to be ready for audit).

If the described problem happens, the investor does not prove that the site caused him to transfer money to the wrong address. When ICO uses a single collection address for each blockchain, in the event of a break-in, it becomes known to everyone, especially company employees, quite quickly (panic in the chat, as a rule). With individual wallets – the problem can not be detected as long as desired. The threat of loss of collected money is a threat to the welfare of the whole project.


img 5b5e6bc6169e0 - Skyfchain ICO: review, audit

A beautiful picture from the site hints that the user’s money goes into a smart contract, including USD (!). In fact, payments arrive in chaotic places, and the picture is false.

 

Smoke and mirrors

img 5b5e60494d644 - Skyfchain ICO: review, audit

The personal cabinet hints (advertises) for the existence of a smart contract. This is an attempt to classify the product some standards, protocols, regulations, when in fact there is nothing like this. The softest term is unfair competition and deceit of the user regarding the existence of a smart contract that manages the ICO. There is a smart contract, only an outsider.

 

Two-factor authorization

img 5b5e6939ba8c7 - Skyfchain ICO: review, audit

2FA is a useful and necessary function. However, according to statistics, almost no one will voluntarily include it. Consequently:

  • this is a useless function
  • paid to programmers for this
  • it creates the illusion of security when no security is added

In ICO platform from CryptoB2B there is no useless 2FA, but there is a compulsory and immediately included three-factor (multifactorial) authorization, which acts imperceptibly for the user. If a hacker somehow gets access to a user’s account, it will not bring him results.

 

Information verification

ETH charges are made at https://etherscan.io/txs?a=0x199F2202D878e9747b4f96cdf2c980D59d7C0969 and there are thousands of suspicious transactions. For example, https://etherscan.io/txs?a=0x199F2202D878e9747b4f96cdf2c980D59d7C0969&p=68

img 5b5e66064dae3 - Skyfchain ICO: review, audit

A large number of nines (not shown in full, see Information about each transaction) speaks about the program nature of these operations. When people invest, the amounts are rounded in different ways. In addition, people do not put an equally low or constantly repeating transaction price (the last column). It is difficult to find the reasons for these anomalies, the most likely reason is to “rent money” or “run around the money” when they come and fall from the account for which funds are received for ICO. These operations Personal Cabinet shows as investment in unimaginable amounts by the number of participants, compared to which the most popular ICO can not boast.

 

Money Collection Widget

As it was noted above, the collection procedure is arranged so that there is no way to check how much money was collected. Because of this, it is possible to suspect the founders of any fraud, which is beyond the scope of this technical report.


In addition, a simple information about the company’s progress is horribly organized. Here’s what’s on the site:

img 5b5e6ba415f4f - Skyfchain ICO: review, audit

img 5b5e6ca2cc326 - Skyfchain ICO: review, audit

There is no way to understand:

  • the Hardcap
  • how many rounds
  • how much is already collected (the number $ 6M hints at it, but it has no comment and can turn out to be anything)
  • how many tokens total for sale
  • how many tokens have already been sold
  • and s.o.

This idea of usability makes it possible to understand how the founder of the project relates to the quality of the information flow. This can be judged by the quality of the main product that the company will create in the future.


img 5b5e6d816745e - Skyfchain ICO: review, audit

Absolutely illogical numbers appear inside the cabinet:

  • collection is not $6M, but $5M (??)
  • finished at 120% (??)
  • registrations ~ 11000 people, and payers ~ 7000 people (60%), which does not happen in reality (a huge chance that this is a lie)
  • Succesfully processed 100%” – useless information, because this number will always be 100%
  • “Active investors 100%” – similarly 

The personal cabinet is replete with various reports. But:

  • There is no information how many ETH and BTC have been collected with the link, where it can be checked
  • No token sales report
  • Constant slyness or lies: for example, in TOP “the richest investments” there are no links to transactions and just a search to locate them failed
  • A huge number of automatically generated operations
  • A large number of reports is designed to dazzle and ensure solidity, although the main indicators are hidden

 

Conclusions

  • Low quality of website usability and Personal Cabinet for providing financial information
  • Rough bugs with ICO numbers and reports that look like fraud
  • The method of collecting money is intentionally difficult, at least some audit can not be conducted
  • The technical quality of the smart contract code is critically low
  • The ICO rules are on the verge of fraud
  • Absence of any protection of the rights of investors’ interests
  • Limitless rights of the project’s founder to tokens and their distribution
  • No trace of 5 (or 6) million dollars of collection was found (note that it is unclear how much they announce about fees)
  • No traces ~ 7000 buyers of tokens not found

The whole system is built in such a way that any analyst / auditor can easily blame the project for fraud. Non-transparent money collection mechanisms and the distribution of tokens are an easy basis for accusations of anything. However, in this review only technical principles are considered, and not the motives of the founder, therefore, no conclusions (except for the most obvious nonsense) are being made. The document is an estimative judgment of its author and in general the company CryptoB2B does not doubt the good intentions of the founders, and also wishes successes in the implementation of the project.

 

Technical rating of the Skyfchain project

Description of the main idea? Not rated: +0.
[-10=missing, 0=neutral, +5=presented]

Was there an obvious technical lie (fraud)? Found, -10.
[-10=found, 0=did not evaluate, +3=positive]

Are the main functions of the project related to the blockchain? Not evaluated, +0.
[-10=not have, 0=have, +10=ecosystem]

Adequacy of the tokens sale, protection of the interests of investors? Awful (negative), -10.
[-10=violations, 0=did not evaluate, +5=fair ICO]

The quality of the code, errors in the smart contract? Low quality (negative), -3.
[-10=errors found, 0=not evaluated and/or no errors found, +5=good quality]

The team’s openness to the audit and answers to uncomfortable questions? Have not analyzed,+0.
[-10=hostility, 0=not conducted, +2=open to cooperation]

Interim assessment by the formula: -10-10-3 = -23 points. Numbers less than zero or more than 10 are rounded to the range [0 … 10]. Total: “-23” is rounded to “0”.

Evaluation grades:

  • -50 … -21 = Extremely bad
  • -20 .. -10 = Very bad
  • -9 … +0 = Bad
  • +1 … +3 = So-so
  • +4 … +9 = Positive
  • +10 .. +20 = Excellent
  • +21 and more = Ideally

Final technical rating of cryptob2b for Skyfchain project: 0 out of 10, rating – Extremely bad.

⇐ Back to the beginning of the blog