Issue 01

Description

The mathematical operations are not accurate.

According to the documentation, if the user burned 90% of the staked amount, the APY should be 42%, which means the user should receive 420 tokens for 1,000 staked.

However, the function returns slightly more than 420 reward tokens.

The team confirmed this is the intended behavior.

Issue 02

Description

The owner can blacklist any address.

Recommendation

Consider time limiting this capability.

Issue 03

Description

The owner can lockContract and make the token untradable.

Recommendation

Consider limiting this capability.

General Notes

1. All the set functions should include validation checks to ensure the code is resilient to owner configuration errors that could potentially lead to logical or mathematical issues. For instance, if buy/sell fees should be a number between 0 and 100 (as they are divided by 100 in the code), proper validation must be implemented to enforce this constraint.

2. The code uses internal _transfer for transferring tokens from the user to the contract (for example in StakeTokens and BurnTokens). Consider using transferFrom which is the standard method for executing token transfers on the user's behalf.

3. The code reveals a potential security vulnerability stemming from its use of a proxy contract. Proxy contracts, while enabling upgradability and flexibility, introduce an element of risk due to their dynamic nature. Malicious actors might exploit this vulnerability to manipulate or compromise the contract's intended functionality, potentially leading to unauthorized access, data breaches, or manipulation of funds. It's crucial to conduct a thorough security assessment and implement safeguards to mitigate the risks associated with proxy contracts, ensuring the code's resilience against potential attacks.

4. The Proxy mechanism gives flexibility when trying to change the logic of a contract instantly. However, there are many pitfalls to be aware of when working with upgradeable contracts (such as https://docs.openzeppelin.com/upgrades-plugins/1.x/writing-upgradeable#modifying-your-contracts). The team should be aware of the pitfalls before doing an upgrade to the implementation contract and consider reauditing the new implementation contract and ensure the upgrade process is secure.

5. The team has implemented a feature that auto burn Uniswap pool tokens, which has the potential to increase the price. The team should carefully consider the most suitable values for the project to ensure price stability.