ACH [Alchemy] Token

AnyswapV5ERC20.initVault(address)._vault (#207) lacks a zero-check on :
- vault = _vault (#209)
- pendingVault = _vault (#210)
AnyswapV5ERC20.constructor(string,string,uint8,address,address)._underlying (#302) lacks a zero-check on :
- underlying = _underlying (#306)
AnyswapV5ERC20.setVault(address)._vault (#222) lacks a zero-check on :
- pendingVault = _vault (#223)
AnyswapV5ERC20.setMinter(address)._auth (#217) lacks a zero-check on :
- pendingMinter = _auth (#218)
AnyswapV5ERC20.constructor(string,string,uint8,address,address)._vault (#302) lacks a zero-check on :
- vault = _vault (#317)
- pendingVault = _vault (#318)
Check that the address is not zero.

Additional information: link

AnyswapV5ERC20.depositWithTransferPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#343-346) ignores return value by IERC20(underlying).transferWithPermit(target,address(this),value,deadline,v,r,s) (#344)
Ensure that all the return values of the function calls are used.

Additional information: link

Reentrancy in AnyswapV5ERC20.depositWithPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#337-341):
External calls:
- IERC20(underlying).permit(target,address(this),value,deadline,v,r,s) (#338)
- IERC20(underlying).safeTransferFrom(target,address(this),value) (#339)
State variables written after the call(s):
- _deposit(value,to) (#340)
- _totalSupply += amount (#408)
- _deposit(value,to) (#340)
- balanceOf[account] += amount (#409)
Reentrancy in AnyswapV5ERC20.deposit(uint256) (#354-357):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),amount) (#355)
State variables written after the call(s):
- _deposit(amount,msg.sender) (#356)
- _totalSupply += amount (#408)
- _deposit(amount,msg.sender) (#356)
- balanceOf[account] += amount (#409)
Reentrancy in AnyswapV5ERC20.depositWithTransferPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#343-346):
External calls:
- IERC20(underlying).transferWithPermit(target,address(this),value,deadline,v,r,s) (#344)
State variables written after the call(s):
- _deposit(value,to) (#345)
- _totalSupply += amount (#408)
- _deposit(value,to) (#345)
- balanceOf[account] += amount (#409)
Reentrancy in AnyswapV5ERC20.deposit(uint256,address) (#359-362):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),amount) (#360)
State variables written after the call(s):
- _deposit(amount,to) (#361)
- _totalSupply += amount (#408)
- _deposit(amount,to) (#361)
- balanceOf[account] += amount (#409)
Reentrancy in AnyswapV5ERC20.deposit() (#348-352):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),_amount) (#350)
State variables written after the call(s):
- _deposit(_amount,msg.sender) (#351)
- _totalSupply += amount (#408)
- _deposit(_amount,msg.sender) (#351)
- balanceOf[account] += amount (#409)
Apply the check-effects-interactions pattern.

Additional information: link

Reentrancy in AnyswapV5ERC20.depositWithTransferPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#343-346):
External calls:
- IERC20(underlying).transferWithPermit(target,address(this),value,deadline,v,r,s) (#344)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#410)
- _deposit(value,to) (#345)
Reentrancy in AnyswapV5ERC20.deposit(uint256,address) (#359-362):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),amount) (#360)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#410)
- _deposit(amount,to) (#361)
Reentrancy in AnyswapV5ERC20.deposit() (#348-352):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),_amount) (#350)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#410)
- _deposit(_amount,msg.sender) (#351)
Reentrancy in AnyswapV5ERC20.deposit(uint256) (#354-357):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),amount) (#355)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#410)
- _deposit(amount,msg.sender) (#356)
Reentrancy in AnyswapV5ERC20.depositWithPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#337-341):
External calls:
- IERC20(underlying).permit(target,address(this),value,deadline,v,r,s) (#338)
- IERC20(underlying).safeTransferFrom(target,address(this),value) (#339)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#410)
- _deposit(value,to) (#340)
Apply the check-effects-interactions pattern.

Additional information: link

AnyswapV5ERC20.applyMinter() (#232-236) uses timestamp for comparisons
Dangerous comparisons:
- require(bool)(block.timestamp >= delayMinter) (#233)
AnyswapV5ERC20.transferWithPermit(address,address,uint256,uint256,uint8,bytes32,bytes32) (#484-508) uses timestamp for comparisons
Dangerous comparisons:
- require(bool,string)(block.timestamp <= deadline,AnyswapV3ERC20: Expired permit) (#485)
AnyswapV5ERC20.permit(address,address,uint256,uint256,uint8,bytes32,bytes32) (#465-482) uses timestamp for comparisons
Dangerous comparisons:
- require(bool,string)(block.timestamp <= deadline,AnyswapV3ERC20: Expired permit) (#466)
AnyswapV5ERC20.applyVault() (#227-230) uses timestamp for comparisons
Dangerous comparisons:
- require(bool)(block.timestamp >= delayVault) (#228)
AnyswapV5ERC20.mpc() (#196-201) uses timestamp for comparisons
Dangerous comparisons:
- block.timestamp >= delayVault (#197)
Avoid relying on block.timestamp.

Additional information: link

Address.isContract(address) (#99-105) uses assembly
- INLINE ASM (#103)
AnyswapV5ERC20.constructor(string,string,uint8,address,address) (#302-330) uses assembly
- INLINE ASM (#322)
Do not use evm assembly.

Additional information: link

SafeERC20.safeApprove(IERC20,address,uint256) (#119-124) is never used and should be removed
Remove unused functions.

Additional information: link

solc-0.8.2 is not recommended for deployment
Pragma version0.8.2 (#27) allows old versions
Deploy with any of the following Solidity versions: 0.5.16 - 0.5.17, 0.6.11 - 0.6.12, 0.7.5 - 0.7.6 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.

Additional information: link

Low level call in SafeERC20.callOptionalReturn(IERC20,bytes) (#125-136):
- (success,returndata) = address(token).call(data) (#129)
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code existence

Additional information: link

Parameter AnyswapV5ERC20.setVault(address)._vault (#222) is not in mixedCase
Function AnyswapV5ERC20.Swapin(bytes32,address,uint256) (#275-279) is not in mixedCase
Function AnyswapV5ERC20.Swapout(uint256,address) (#281-287) is not in mixedCase
Variable AnyswapV5ERC20.DOMAIN_SEPARATOR (#149) is not in mixedCase
Parameter AnyswapV5ERC20.initVault(address)._vault (#207) is not in mixedCase
Parameter AnyswapV5ERC20.revokeMinter(address)._auth (#239) is not in mixedCase
Parameter AnyswapV5ERC20.setMinter(address)._auth (#217) is not in mixedCase
Follow the Solidity naming convention.

Additional information: link

AnyswapV5ERC20.delayDelay (#179) should be constant
AnyswapV5ERC20.pendingDelay (#178) should be constant
AnyswapV5ERC20.delay (#162) should be constant
Add the constant attributes to state variables that never change.

Additional information: link

changeMPCOwner(address) should be declared external:
- AnyswapV5ERC20.changeMPCOwner(address) (#256-262)
owner() should be declared external:
- AnyswapV5ERC20.owner() (#192-194)
Swapout(uint256,address) should be declared external:
- AnyswapV5ERC20.Swapout(uint256,address) (#281-287)
Swapin(bytes32,address,uint256) should be declared external:
- AnyswapV5ERC20.Swapin(bytes32,address,uint256) (#275-279)
Use the external attribute for functions never called from the contract.

Additional information: link

Unable to find audit link on the website

Unable to find whitepaper link on the website

Token is not listed at Mobula.Finance

Additional information: link