# Findings
## **Issue 01**
| **Type** | **Severity** | **Location** | **Status** |
| ------------------ | ---------------------------------------- | ------------ | ------------------------------------------------- |
| Owner Capabilities | **High** | `receive` | ✔️ **Resolved** |
**Description**
The owner can blacklist any address. If the owner blacklists the pair address or the contract address the token will be untradeable.
**Recommendation**
Add a require statement that prevents the owner from blacklisting the pair address and the contract address.
## **Issue 02**
| **Type** | **Severity** | **Location** | **Status** |
| ------------- | --------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------ |
| Volatile Code | **Medium** | `_transfer` | ❌ **Not Resolved** |
**Description**
`swapTokensForBos` is called on every transfer. This function sells tokens for BNB which can result in a price drop.
**Recommendation**
Consider adding a dynamic upper limit according to a percentage of the token pair balance, in order to control the price impact and prevent the token from being untradeable due to slippage higher than 49%.
**General Notes**
The team needs to acknowledge this issue and consider the value they put as the maximum limit.
## **Issue 03**
| **Type** | **Severity** | **Location** | **Status** |
| ------------------------------ | ---------------------------------------- | ------------ | ------------------------------------------------- |
| Volatile Code / Logical Issue | **High** | `_transfer` | ✔️ **Resolved** |
**Description**
`swapTokensForBoss` is called on every transfer. If the pool is not created, this function will fail causing `_transfer` to fail until liquidity is added.
In addition, `swapTokensForBoss` will not work on buy transactions which is part of PancakeSwap's protocol requirements.
**Recommendation**
Add an option to disable the swapTokensForBoss feature, and only call this function on sell transactions.
## **Issue 04**
| **Type** | **Severity** | **Location** | **Status** |
| ------------- | --------------------------------------------- | ------------ | ------------------------------------------------- |
| Best Practice | **Medium** | `receive` | ✔️ **Resolved** |
**Description**
There is a receive function in the contract, which means any address can send BNB to the contract.
**Recommendation**
In order to prevent the contract from receiving BNB from investors, which will result in a loss of funds, our recommendation is to only accept BNB from “whitelisted” addresses (e.g. router address).
The receive function will revert if the address is not whitelisted.
## **Issue 05**
| **Type** | **Severity** | **Location** | **Status** |
| ----------------------------- | ---------------------------------------- | ------------ | ------------------------------------------------- |
| Best Practice / Volatile Code | **High** | `_transfer` | ✔️ **Resolved** |
**Description**
\_transfer calls the external function `swapTokensForEth` . Since this function can be called during `_transfer`, it may cause `_transfer` to fail unnecessarily.
**Recommendation**
Use try-catch when calling external functions in critical path flows.
Our recommendation is to always make sure error cases are handled gracefully in critical functions such as `_transfer.`
## **Issue 06**
| **Type** | **Severity** | **Location** | **Status** |
| ------------------ | ---------------------------------------- | -------------------- | ---------- |
| Owner Capabilities | **High** | `setTransferFeeRate` | |
**Description**
There is no upper limit to the setFees functions. If the owner sets them to 100% the token will be untradeable.
**Description**
Consider adding an upper limit to the set functions.
## General Notes
The anti bot code can be removed as the team is going to use Solid Group bot protection.