Findings

Issue 01

Description

10 ** 18 is a standard unit in solidity, and has a special keyword "ether".

Recommendation

Consider using ether instead of 10**18 for readability.

Issue 02

Description

There is a receive function in the contract, which means any address can send BNB to the contract. The problem is that there is no way to recover BNB that were mistakenly sent to the contract.

Recommendation

In order to prevent the contract from receiving BNB from investors, which will result in a loss of funds, our recommendation is to only accept ETH from “whitelisted” addresses (e.g. the router address). The receive function will revert if the address is not whitelisted.

Issue 03

Description

The set functions don't emit events.

Recommendation

Consider adding events when changing critical variables or the state of the contract.

Issue 04

Description

The owner of the contract can blacklist any address, at any time.

Recommendation

Our recommendation is to limit the timeframe when the owner can append an address to the blacklist.

Issue 05

Description

isExcludedFromFees could have been declared as external to save on gas fees.

Issue 06

Description

_transfer may call internally to swapExactTokensForETHSupportingFeeOnTransferTokens and addLiquidityETH , which may cause _transfer to fail unnecessarily.

Recommendation

_transfer should always work, and shouldn't fail if swapExactTokensForETHSupportingFeeOnTransferTokens or addLiquidityETH fails to ensure token will always be tradable.

Issue 07

Description

The code doesn’t differentiate between sell transaction and addLiquidity transaction (because the user sends tokens to the pair) and buy transaction and removeLiquidity transaction (because the user receives tokens from the pair). Therefore, the custom tax will be applied to liquidity removal as well as liquidity addition.

Issue 08

Approve is being called every transaction on the same tokens and for the same spender (the router).

Recommendation

In order to reduce gas costs, approve could be called once (with max int), and then check if it is needed again using allowance.

Issue 09

Description

If the dividends token has fees on transfer, the code may not work as intended since the dividends contract will receive fewer tokens than expected and the rewards won't be calculated correctly.

Recommendation

Consider adding general support for dividends tokens with fees on transfer.

Since busd address can't be changed, the issue is marked as informational.

Issue 10

Description

_transfer may call swapAndSendDividends internally. This function can be called during _transfer and potentially failing when totalSupply of DividendPayingToken is 0.

Recommendation

Consider using try-catch when calling distributeTokenDividends

Issue 11

Description

swapAndSendDividends will fail if totalSupply of DividendPayingToken is 0.

Recommendation

Consider handling a scenario in which totalSupply is 0, and dividends are transferred to the contract.

Issue 12

Description

The owner can blacklist any address. If the owner blacklists the pair address or the contract address the token will be untradeable.

Recommendation

Add a require statement that prohibits the owner from blacklisting the pair address and the contract address.

Issue 13

Description The owner can set PancakeSwap's router address, which gives him full control over all token swaps.

Recommendation

Consider implementing a timelock mechanism to allow users to review the changes, or remove this feature altogether as backward-incompatible router updates are a very rare event.

Issue 14

Description

The owner of the contract can set the busd rewards fee, marketing fee, and liquidity fee by calling set setBUSDRewardsFee or setLiquiditFee or setMarketingFee to any value they desire. If the owner sets the fee to 100% the token will be untradeable.

Recommendation

Consider adding an upper limit for the set functions.

Issue 15

Description

The contract may call swapExactTokensForETHSupportingFeeOnTransferTokens 3 times, each call consumes a large amount of gas.

Recommendation

Consider calling this function only once.

Last updated