# Presale.sol ### Issue 01 | **Type** | **Severity** | **Location** | **Status** | | ------------- | ------------------------------------------ | ----------------------------- | ---------------------------------------------- | | Logical Issue | **Low** |

Line 73

| **✔️ Fixed** | **Description** Line 73 enforces that busdLimits\[0] is strictly smaller than busdLimits\[1]. Some presales may wish to provide only a single contribution amount, which isn't possible with this condition. **Recommendation** Consider changing the condition to "<=" ### Issue 02
TypeSeverityLocationStatus
TypeSeverityLocationStatus
Logical IssueHighjoin(), withdrawRaisedFunds()✔️ Fixed
**Description** If a malicious user sends BUSD to the contract, he can make `tokenAmount` greater than the available tokenX balance, which will make the withdrawal fail. This issue can also arise if there is no hardcap and the presale contract raised more funds than the owner has tokenX to cover. **Recommendation** Calculate `tokenAmount` based on raised funds, not on BUSD balance, and make sure the owner has enough tokens to cover all amount of raised funds. Note that in these cases, users will **not be able to get refunds** until the presale is manually canceled. Same issue as above on `closePresale()` ### Issue 03 | **Type** | **Severity** | **Location** | **Status** | | ---------------- | --------------------------------------------------- | --------------- | ---------------------------------------------- | | Gaz optimisation | **Informational** | `onlyFactory()` | **✔️ Fixed** | **Description** `onlyFactory()` modifier is not used. ### Issue 04 | **Type** | **Severity** | **Location** | **Status** | | ------------- | --------------------------------------------- | ----------------------- | ---------------------------------------------- | | Logical Issue | **Medium** | `withdrawRaisedFunds()` | **✔️ Fixed** | **Description** withdrawRaisedFunds() requires that ``` block.timestamp >= presaleCloseAt ``` without checking if hardcap was already reached. **Recommendation** If hardcap was reached before presaleCloseAt, allow withdrawRaisedFunds to continue as the presale has ended de-facto. ### Issue 05 | **Type** | **Severity** | **Location** | **Status** | | ------------- | ------------------------------------------ | ------------- | ---------------------------------------------------------------------------------------------- | | Best Practice | **Low** | `getRefund()` | **⚠️**** ****Consider** | **Description** If presale was successful (softcap was reached) users' funds are locked until either the presale is canceled or the team calls withdrawRaisedFunds. **Recommendation**: Consider taking a more decentralized approach - if presale wasn't canceled or withdrawRaisedFunds after a set amount of time, users can automatically call getRefund. **Note** After hardcap is reached, investors are still able to withdraw their funds as long as the presale wasn't finalized by calling withdrawRaisedFunds. Please note, that this can create a scenario where presale bounces between filled and not filled, because users can get a refund even after hardcap was reached. ### Issue 06 | **Type** | **Severity** | **Location** | **Status** | | ------------- | --------------------------------------------- | ------------ | --------------------------------------------- | | Logical Issue | **Medium** | `join()` | **✔️Fixed** | **Description** Contract can buy shield-network token to participate in presale, call join function and sell shield network token immediately. By doing that, they can bypass the minimum amount of tokens required to participate. **Recommendation** require tx.origin to be msg.sender in order to prevent contracts from participating in presale ### Issue 07 | **Type** | **Severity** | **Location** | **Status** | | ------------- | --------------------------------------------------- | ------------ | --------------------------------------------- | | Best Practice | **Informational** | `join()` | **✔️Fixed** | **Description** BUSD name is not indicative, since the presale can raise funds in any token and not restricted to be BUSD. ### Issue 08 | **Type** | **Severity** | **Location** | **Status** | | ------------- | --------------------------------------------- | ------------ | --------------------------------------------- | | Best Practice | **Medium** | `join()` | **✔️Fixed** | #### **Description** The join function checks the amount of raised BUSD using busd.balanceOf. Thus, if users erroneously send BUSD directly to the contract they will not receive tokens, but the project creator will receive their funds. **Recommendation** In `withdrawRaisedFunds` transfer all excess BUSD to shield network, and in the join function perform the check using raisedFunds instead of busd balanceOf(address(this)). ### Issue 09 | **Type** | **Severity** | **Location** | **Status** | | ------------- | ---------------------------------------- | ------------------------------------------- | --------------------------------------------- | | Logical Issue | **High** |

withdrawRaisedFunds()

| **✔️Fixed** | **Description** if tokenX has fees then when the presale owner transfer tokenX to the contract for distribution in withdrawRaisedFunds, the contract will receive less tokens than expected, which will guarantee that several presale participants won't be able to receive their tokens. **Recommendation** Add a sanity check that ensures that after the tokenX transfer, the tokenX balance of the presale contract is at least the expected `tokenXAmount.` ⚠️ Please note that in this scenario, presale does not support tokens with fees on transfer. This should be communicated to clients.