Findings
Type | Severity | Location | Status |
Best Practice | Informational | All | Acknowledged |
Description
10 ** 18 is a standard unit in solidity, and has a special keyword "ether".
Recommendation
Consider using ether instead of 10**18 for readability.
Type | Severity | Location | Status |
Best Practice | Medium | receive | ✔️Resolved |
Description
There is a receive function in the contract, which means any address can send BNB to the contract. The problem is that there is no way to recover BNB that were mistakenly sent to the contract.
Recommendation
In order to prevent the contract from receiving BNB from investors, which will result in a loss of funds, our recommendation is to only accept ETH from “whitelisted” addresses (e.g. the router address).
The receive function will revert if the address is not whitelisted.
Type | Severity | Location | Status |
Best Practice | Informational | Multiple locations | Acknowledged |
Description
The set functions don't emit events.
Recommendation
Consider adding events when changing critical variables or the state of the contract.
Type | Severity | Location | Status |
Owner Capabilities | Informational | blacklistAddress | ✔️Resolved |
Description
The owner of the contract can blacklist any address, at any time.
Recommendation
Our recommendation is to limit the timeframe when the owner can append an address to the blacklist.
Type | Severity | Location | Status |
Gas Optimization | Informational | isExcludedFromFees | Acknowledged |
Description
isExcludedFromFees
could have been declared as external to save on gas fees. Type | Severity | Location | |
Volatile Code | High | _transfer | ✔️Resolved |
Description
_transfer
may call internally to swapExactTokensForETHSupportingFeeOnTransferTokens
and addLiquidityETH
, which may cause _transfer
to fail unnecessarily.Recommendation
_transfer
should always work, and shouldn't fail if swapExactTokensForETHSupportingFeeOnTransferTokens
or addLiquidityETH
fails to ensure token will always be tradable.Type | Severity | Location | Status |
Gas Optimization | Informational | _transfer | Acknowledged |
Description
The code doesn’t differentiate between sell transaction and addLiquidity transaction (because the user sends tokens to the pair) and buy transaction and removeLiquidity transaction (because the user receives tokens from the pair). Therefore, the custom tax will be applied to liquidity removal as well as liquidity addition.
Type | Severity | Location | Status |
Gas Optimization | Informational | _approve | Acknowledged |
Approve is being called every transaction on the same tokens and for the same spender (the router).
Recommendation
In order to reduce gas costs,
approve
could be called once (with max int), and then check if it is needed again using allowance
.Type | Severity | Location | Status |
Logical Issue | Informational | swapAndSendDividends | Acknowledged |
Description
If the dividends token has fees on transfer, the code may not work as intended since the dividends contract will receive fewer tokens than expected and the rewards won't be calculated correctly.
Recommendation
Consider adding general support for dividends tokens with fees on transfer.
Since busd address can't be changed, the issue is marked as informational.
Type | Severity | Location | Status |
Logical Issue | Medium | swapAndSendDividends | ✔️Resolved |
Description
_transfer
may call swapAndSendDividends
internally. This function can be called during _transfer
and potentially failing when totalSupply
of DividendPayingToken is 0. Recommendation
Consider using try-catch when calling
distributeTokenDividends
Type | Severity | Location | Status |
Logical Issue | Low | swapAndSendDividends | Acknowledged |
Description
swapAndSendDividends
will fail if totalSupply of DividendPayingToken is 0.Recommendation
Consider handling a scenario in which totalSupply is 0, and dividends are transferred to the contract.
Type | Severity | Location | Status |
Owner Capabilities | High | blacklistAddress | ✔️Resolved |
Description
The owner can blacklist any address. If the owner blacklists the pair address or the contract address the token will be untradeable.
Recommendation
Add a require statement that prohibits the owner from blacklisting the pair address and the contract address.
Type | Severity | Location | Status |
Owner Capabilities | High | updateUniswapV2Router | ✔️Resolved |
Description
The owner can set PancakeSwap's router address, which gives him full control over all token swaps.
Recommendation
Consider implementing a timelock mechanism to allow users to review the changes, or remove this feature altogether as backward-incompatible router updates are a very rare event.
Type | Severity | Location | Status |
Owner Capabilities | High | setBUSDRewardsFee | ✔️Resolved |
Description
The owner of the contract can set the busd rewards fee, marketing fee, and liquidity fee by calling set setBUSDRewardsFee or setLiquiditFee or setMarketingFee to any value they desire. If the owner sets the fee to 100% the token will be untradeable.
Recommendation
Consider adding an upper limit for the set functions.
Type | Severity | Location | Status |
Gas Optimization | Informational | setBUSDRewardsFee | Acknowledged |
Description
The contract may call
swapExactTokensForETHSupportingFeeOnTransferTokens
3 times, each call consumes a large amount of gas. Recommendation
Consider calling this function only once.
Last modified 1yr ago