Issue 01

Description

The owner can blacklist any address for 2 days after deploying the contract.

Recommendation

Either remove this function or add a require statement that prohibits the owner from blacklisting the pair address and the contract address. In addition, add a time limit for the setBlacklist function.

Issue 02

Description

The owner can disable trading and make the token untradeable.

Recommendation

Either remove this function or add a require statement that prevents the function from disabling trading once enabled.

Issue 03

Description

approve is being called on every transaction which automatically contributes liquidity to the pool, on the same tokens and for the same spender (the router).

Recommendation

In order to reduce gas costs, approve could be called once (with max int).

Issue 04

Description

_transfer may internally call to external contracts (e.g. the router or vault contracts). Since these functions can be called during _transfer, it may cause the function to unnecessarily fail. In addition, if this function fails constantly it will make the token untradeable. A malicious owner can cause the transfer to the vault address to consistently fail and make the token untradeable.

In this case, the addLiquidity and swapTokens can fail when calling the router and transfer can fail when calling the vault.

Recommendation

Use try-catch when calling external functions in critical path flows. Our recommendation is to always make sure error cases are handled gracefully in critical functions such as _transfer.

Issue 05

Description

The calculation of the liquidity fee amount seems to be complex. To make the calculation simpler and easier to read, you can follow these steps:

• Swap (amountOfFees * liqFeePercentage / 2) for ETH in order to add liquidity.

• The same value will be added as liquidity along with the newly swapped ETH.

• The rest of the fees are transferred to the vault.

Issue 06

Description

_liqFeeCollected and _vaultFeeCollected are both in token units while amountBNB is in BNB units. Therefore the calculations on amountBNBLiquidity and amountBNBVault are wrong.

Issue 07

Description

The token will be untradeable should the owner set either of these values to 0.

Recommendation

Consider adding a minimum value to these functions (via a require statement). Furthermore, consider setting the minimum value to a percentage of the pair balance out of the total supply.

Max tx amount need to be greater than 0.1% of the total supply.

Issue 08

Description

There is no upper limit to the setFees functions. If the owner sets them to 100% the token will be untradeable.

Recommendation

Consider adding an upper limit to these functions.

The total amount of fees that can be taken is 25%.

Issue 09

Description

Make sure the fees are always in range and not greater than the percentage factor.

Issue 11

Description

There is a receive function in the contract, which means any address can send BNB to the contract.

Recommendation

In order to prevent the contract from receiving BNB from investors, who can lose their funds, our recommendation is to only accept BNB from “whitelisted” addresses (e.g. the router address). The receive function will revert if the address is not whitelisted.