Findings

Issue 01

Description

In the case where playToEarnReward > amountPlayToEarn (the last reward mint), line 74 has a logical error that can mint more tokens than amountPlayToEarn, instead of the desired behavior of minting up to amountPlayToEarn.

Recommendation

Change the availableReward calculation to

uint256 availableReward = amountPlayToEarn.sub(playToEarnReward.sub(reward));

which will mint the reaming tokens.

Issue 02

Description

The owner can blacklist any address. If the owner will blacklist the pair address or the contract address the token will be untradable.

Recommendation

Add a require statement that would prohibit the owner from blacklisting the pair address and the contract address.

Issue 03

Description

There is a receive function in the contract, which means any address can send BNB to the contract. The problem is that there is no way to recover BNB that were mistakenly sent to the contract.

Recommendation

In order to prevent the contract from receiving BNB from investors, which will result in a loss of funds, our recommendation is to only accept ETH from “whitelisted” addresses (for example the router address should be whitelisted). The receive function will revert if the address is not whitelisted.

General Note

The gas consumption of the contract can be improved by changing the access permission of public functions which is not being called in the contract to external.