# preSaleMasterForToken.sol ## **Issue 01** | **Type** | **Severity** | **Location** | **Status** | | ------------- | ---------------------------------------- | ------------------- | ---------------------------------------------- | | Logical Issue | **High** | `initializePresale` | **Resolved** | **Description** There is no guarantee that the owner deposits will satisfy the presale and liquidity rates. ## **Issue 02** | **Type** | **Severity** | **Location** | **Status** | | ------------- | --------------------------------------------- | ----------------------------- | ---------------------------------------------- | | Best Practice | **Medium** | `contribute, claim, finalize` | **Resolved** | **Description** The functions call external contracts, exposing themselves to potential reentrancy attacks. The code does not follow [check effect interactions](https://fravoll.github.io/solidity-patterns/checks_effects_interactions.html) pattern. **Recommendation** Add a reentrancy guard and follow check-effect interactions pattern. ## **Issue 03**
TypeSeverity Location
TypeSeverity LocationStatus
Best PracticeInformationalcontributeResolved
**Description** Use a modifier instead of the presale `require` statement for better readability. ## **Issue 04** | **Type** | **Severity** | **Location** | **Status** | | ------------- | --------------------------------------------- | ------------ | ---------------------------------------------- | | Volatile Code | **Medium** | `contribute` | **Resolved** | **Description** The `investor` array's size is limitless. Iterating over an unbounded array may cause the transaction to hit the block gas limit. **Recommendation** Use a mapping to track contributions. ## **Issue 05** | **Type** | **Severity** | **Location** | **Status** | | ------------- | ---------------------------------------- | -------------------- | ---------------------------------------------- | | Volatile Code | **High** | `withdrawContribute` | **Resolved** | **Description** The function does not change the user's deposit value, hence any user can withdraw their deposit multiple times and drain the contract. **Recommendation** Add a require statements that makes sure the user can withdraw their deposit and set `deposits[msg.sender]` to 0 after the withdrawal. ## **Issue 06** | **Type** | **Severity** | **Location** | **Status** | | ------------- | ------------------------------------------ | -------------------- | ---------------------------------------------- | | Logical Issue | **Low** | `withdrawContribute` | **Resolved** | **Description** The function does not remove the user from the `investors` array. ## **Issue 07** | **Type** | **Severity** | **Location** | **Status** | | ------------------ | ------------------------------------------ | ------------ | ---------------------------------------------- | | Owner Capabilities | **Low** | `finalize` | **Resolved** | **Description** The owner can lock funds in the contracts by never calling this function if the presale exceeds `softcap` ## **Issue 08** | **Type** | **Severity** | **Location** | **Status** | | ------------- | ---------------------------------------- | ------------ | ---------------------------------------------- | | Logical Issue | **High** | `finalize` | **Resolved** | **Description** `listingRate` does not subtract the fees taken from the amount listed. Consequently, users may be unable to withdraw their tokens from the contract as the amount of tokens listed does not match the actual amount of tokens in the contract. ## **Issue 09** | **Type** | **Severity** | **Location** | **Status** | | ------------- | ---------------------------------------- | ------------ | ---------------------------------------------- | | Logical Issue | **High** | `finalize` | **Resolved** | **Description** The contract multiplies `listingRate` by the amount of amount to get the number of tokens. Therefore, `listingRate` should be calculated as token/ETH (token per ETH). However it is currently calculated as ETH/token (ETH per token) ## **Issue 10** | **Type** | **Severity** | **Location** | **Status** | | ------------- | ------------------------------------------ | ------------ | ---------------------------------------------- | | Logical Issue | **Low** | `finalize` | **Resolved** | **Description** If a liquidity pool already exists, there may unrecoverable leftover tokens in the contract. ## **Issue 11** | **Type** | **Severity** | **Location** | **Status** | | ---------------- | --------------------------------------------------- | -------------- | ---------------------------------------------- | | Gas Optimization | **Informational** | `addWhitelist` | **Resolved** | **Description** Move the following line into the `if` block to avoid storing the value in storage. ``` whiteList[accounts[index]] = true; ``` ## **Issue 12**
TypeSeverity Location
TypeSeverity LocationStatus
Gas OptimizationInformationalremoveWhitelistResolved
**Description** The removal can be done in constant time by passing the indexes if the accounts to remove. ## **Issue 13** | **Type** | **Severity** | **Location** | **Status** | | ------------- | ---------------------------------------- | ----------------- | ---------------------------------------------- | | Logical Issue | **High** | `getVestedAmount` | **Resolved** | **Description** `listingRate` is multiplied by a factor. ## **Issue 14** | **Type** | **Severity** | **Location** | **Status** | | ------------- | --------------------------------------------- | ----------------- | ---------------------------------------------- | | Volatile Code | **Medium** | `getVestedAmount` | **Resolved** | **Description** The function may be called anytime. Should the function be called before `presaleEndTimestamp`, `(now - presaleEndTimeStamp)` will underflow. ## **Issue 15** | **Type** | **Severity** | **Location** | **Status** | | ------------- | ---------------------------------------- | -------------------- | ---------------------------------------------- | | Logical Issue | **High** | `withdrawContribute` | **Resolved** | **Description** deposits\[msg.sender] is zeroed and then sent out as the value, so users will always withdraw 0 tokens - the value must be kept aside before zeroing it out. ``` deposits[msg.sender] = 0; Address.sendValue(msg.sender, deposits[msg.sender]); ```