# Findings
## **Issue 01**
| **Type** | **Severity** | **Location** | **Status** |
| ------------- | ------------------------------------------ | ------------ | ----------------------------------------------------------------------------------- |
| Best Practice | **Low** | `receive` | ✔️ **Resolved** |
**Description**
There is a receive function in the contract, which means any address can send BNB to the contract.
**Recommendation:**
In order to prevent the contract from receiving BNB from investors, our recommendation is to only accept BNB from “whitelisted” addresses (e.g. the router address).
The receive function will revert if the address is not whitelisted.
**Status**
The issue has been resolved.
## **Issue 02**
| **Type** | **Severity** | **Location** | **Status** |
| ------------------ | --------------------------------------------- | ------------------ | ----------------------------------------------------------------------------------- |
| Owner Capabilities | **Medium** | `setRouterAddress` | ✔️ **Resolved** |
**Description**
The owner can set PancakeSwap's router address, which gives him full control over all token swaps.
**Recommendation**
Consider implementing a timelock mechanism to allow users to review the changes, or remove this feature altogether as backward-incompatible router updates are a very rare event, and this can be implemented with the existing updateStrategy logic.
**Status**
The issue has been resolved.
## Issue 03
| **Type** | **Severity** | **Location** | **Status** |
| ------------------ | ---------------------------------------- | -------------- | ------------------------------------------------- |
| Owner Capabilities | **High** | `blockAddress` | ✔️ **Resolved** |
**Description**
The owner can blacklist any address anytime.
**Recommendation**
Consider time limiting this capability / remove this capability if not needed.
**Status**
The issue has been resolved.
## Issue 04
| **Type** | **Severity** | **Location** | **Status** |
| ------------- | ---------------------------------------- | ------------ | ----------------------------------------------------------------------------------- |
| Volatile Code | **High** | `_transfer` | ✔️ **Resolved** |
**Description**
\_transfer may call internally to swapExactTokensForETHSupportingFeeOnTransferTokens and addLiquidityETH , which may cause \_transfer to fail unnecessarily.
**Recommendation**
\_transfer should always work, and shouldn't fail if swapExactTokensForETHSupportingFeeOnTransferTokens or addLiquidityETH fail to ensure token will always be tradable.
Wrap these functions inside try-catch.
**Status**
The issue has been resolved.
## Issue 05
| **Type** | **Severity** | **Location** | **Status** |
| ---------------- | ------------------------------------------ | ------------ | ----------------------------------------------------------------------------------- |
| Gas Optimization | **Low** | `_transfer` | ✔️ **Resolved** |
**Description**
`approve` is being called on every transaction which automatically contributes liquidity to the pool, on the same tokens and for the same spender (the router).
**Recommendation**
In order to reduce gas costs, `approve` could be called once (with max int)**.**
**Status**
The issue has been resolved.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://audits.solidgrp.io/retromoon/audit-results/findings.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.