Findings

Issue 01

Description

The fallback function seems to be redundant.

Issue 02

Description

addLiquidity calls the external function addLiquidityETH . Since this function can be called during _transfer, it may cause _transfer to fail unnecessarily.

Recommendation

Use try-catch when calling external functions in critical path flows. Our recommendation is to Always make sure error cases are handled gracefully in critical functions such as _transfer

Issue 03

Description

Your current code doesn’t differentiate between sell transaction and addLiquidity transaction (because the user sends tokens to the pair) and buy transaction and removeLiquidity transaction (because the user receives tokens from the pair). Therefore, balanceLimit and custom tax will be applied to liquidity removal and liquidity addition as well.

Issue 04

The owner of the contract can set the lock time between two consecutive sells. Since the contract is constantly selling tokens for BNB as part of the staking rewards and AMM mechanism, If the token contract won’t be excluded from this limitation the contract could only sell once every 2 hours. If swapAndLiquify will take place on every sell transaction the sell transactions will constantly fail.

Recommendation

Our recommendation is to use try, catch when calling external functions and to make sure the contract can’t be excluded for sell cooldown limitations.

Issue 05

Description

This function changes the state of the contact by setting critical operational variables.

Recommendation

Our recommendation is to emit event when changing critical variables or when the state of the contract changed.

Issue 06

Description

The variable promotionStartTimestamp is not used in the contract. When the team sets the promotion token by calling TeamSetPromotionToken it takes place immediately, instead of being delyaed by promotionStartTimestamp

Recommendation

Our recommendation is to delete this variable, or to implement the delay logic in the code.

Issue 07

Description

According to the comments, lotteryTicketPriceis supposed to be 100 tokens, however, it is set to 1000 tokens.

uint256 public lotteryTicketPrice=1000*(10**_decimals); //StartPrize Lottery 100 token

Issue 08

Description

Each user can buy any number of lottery tickets. This function iterates over the number of tickets the user purchased. Iterating over an unbounded array can hit the block gas limit.

Recommendation

Our recommendation is to limit the number of tickets a user can purchase.

Issue 09

approve is being called every transaction on the same tokens and for the same spender (the router).

Recommendation

In order to reduce gas costs, approve could be called once (with max int), and then check if it is needed again using allowance.

Issue 10

Description

The team set the number of tokens to be swapped to 5% of the pair's token balance. 5% of the pair balance will result in more than 5% price impact on the token's price.

Recommendation

Consider lowering the number of tokens to be swapped or to set sellLimit in order to prevent a major price impact.

Issue 11

Description

Every 7 days the team has the ability to withdraw all the bnbs from the contract. The contract holds the BNBs that were allocated for marketing and the BNBs that were allocated for staking rewards.

The team can withdraw the BNBs that were allocated for staking rewards.

Recommendation

Consider using a timelock contract in order to delay the execution of a function like that, or only enable to withdraw tokens who were allocated for marketing.