Bogged Finance: Limit Orders, Stop Losses, Sniper, Swaps and more all powered by $BOG.
BogTools is a suite of tools that for DeFi. The projects cornerstone, bogged.finance; aims to bring in Centralized Exchange (CEX) features for DeFi users. With Limit Orders, Snipers, Stop Losses, Smarter DEX features and more, $BOG is the home of traders on DeFi.
Reentrancy in BOG._transferFrom(address,address,uint256) (#305-325):
External calls:
- autoLiquify() (#315)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#365-371)
- router.addLiquidityETH{value: amountBNB}(address(this),amountToSwap,0,0,autoLiquidityReceiver,block.timestamp) (#375-384)
External calls sending eth:
- autoLiquify() (#315)
- router.addLiquidityETH{value: amountBNB}(address(this),amountToSwap,0,0,autoLiquidityReceiver,block.timestamp) (#375-384)
State variables written after the call(s):
- _balances[sender] = _balances[sender].sub(amount,Insufficient Balance) (#317)
- _balances[recipient] = _balances[recipient].add(amountReceived) (#321)
- amountReceived = takeFee(sender,amount) (#319)
- _balances[address(this)] = _balances[address(this)].add(liquidityFeeAmount) (#335)
- _balances[stakingFeeReceiver] = _balances[stakingFeeReceiver].add(stakingFeeAmount) (#336)
Apply the check-effects-interactions pattern.
Additional information: link
BOG.autoLiquify() (#356-385) sends eth to arbitrary user
Dangerous calls:
- router.addLiquidityETH{value: amountBNB}(address(this),amountToSwap,0,0,autoLiquidityReceiver,block.timestamp) (#375-384)
Ensure that an arbitrary user cannot withdraw unauthorized funds.
Additional information: link
Combination 1: Reentrancy vulnerabilities + Functions that send Ether to arbitraty destination. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.
Contract ownership is not renounced (belongs to a wallet)
BOGAuth.transferOwnership(address).adr (#143) lacks a zero-check on :
- owner = adr (#144)
BOG.constructor(address,address)._owner (#255) lacks a zero-check on :
- address(_owner).transfer(address(this).balance) (#268)
BOG.migrateAutoLiquidityDEX(address,address)._liquifyPair (#403) lacks a zero-check on :
- liquifyPair = _liquifyPair (#406)
BOG.setFeeReceivers(address,address)._autoLiquidityReceiver (#435) lacks a zero-check on :
- autoLiquidityReceiver = _autoLiquidityReceiver (#436)
BOG.setFeeReceivers(address,address)._stakingFeeReceiver (#435) lacks a zero-check on :
- stakingFeeReceiver = _stakingFeeReceiver (#437)
Check that the address is not zero.
Additional information: link
Reentrancy in BOG.constructor(address,address) (#255-269):
External calls:
- liquifyPair = IDEXFactory(router.factory()).createPair(WBNB,address(this)) (#258)
State variables written after the call(s):
- _allowances[address(this)][_router] = uint256(- 1) (#260)
- _balances[_owner] = _totalSupply (#265)
- hasFee[liquifyPair] = true (#261)
- isExempt[_owner] = true (#262)
- isExempt[address(this)] = true (#263)
Apply the check-effects-interactions pattern.
Additional information: link
BOG._totalSupply (#228) should be constant
Add the constant attributes to state variables that never change.
Additional information: link
BOG.autoLiquify() (#356-385) ignores return value by router.addLiquidityETH{value: amountBNB}(address(this),amountToSwap,0,0,autoLiquidityReceiver,block.timestamp) (#375-384)
Ensure that all the return values of the function calls are used.
Additional information: link
BOG.setTxLimit(uint256) (#392-395) should emit an event for:
- _maxTxAmount = amount (#394)
BOG.setLiquify(bool,uint256) (#397-401) should emit an event for:
- liquifyAmount = amount (#400)
BOG.setFees(uint256,uint256,uint256) (#426-433) should emit an event for:
- autoLiquidityFee = _liquidityFee (#427)
- stakingFee = _stakingFee (#428)
- feeDenominator = _feeDenominator (#430)
Emit an event for critical parameter changes.
Additional information: link
Reentrancy in BOG._transferFrom(address,address,uint256) (#305-325):
External calls:
- autoLiquify() (#315)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#365-371)
- router.addLiquidityETH{value: amountBNB}(address(this),amountToSwap,0,0,autoLiquidityReceiver,block.timestamp) (#375-384)
External calls sending eth:
- autoLiquify() (#315)
- router.addLiquidityETH{value: amountBNB}(address(this),amountToSwap,0,0,autoLiquidityReceiver,block.timestamp) (#375-384)
Event emitted after the call(s):
- Transfer(sender,address(this),liquidityFeeAmount) (#338)
- amountReceived = takeFee(sender,amount) (#319)
- Transfer(sender,stakingFeeReceiver,stakingFeeAmount) (#339)
- amountReceived = takeFee(sender,amount) (#319)
- Transfer(sender,recipient,amountReceived) (#323)
Reentrancy in BOG.autoLiquify() (#356-385):
External calls:
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#365-371)
- router.addLiquidityETH{value: amountBNB}(address(this),amountToSwap,0,0,autoLiquidityReceiver,block.timestamp) (#375-384)
External calls sending eth:
- router.addLiquidityETH{value: amountBNB}(address(this),amountToSwap,0,0,autoLiquidityReceiver,block.timestamp) (#375-384)
Event emitted after the call(s):
- AutoLiquify(amountBNB,amountToSwap) (#383)
Reentrancy in BOG.constructor(address,address) (#255-269):
External calls:
- liquifyPair = IDEXFactory(router.factory()).createPair(WBNB,address(this)) (#258)
Event emitted after the call(s):
- Transfer(address(0),_owner,_totalSupply) (#266)
Apply the check-effects-interactions pattern.
Additional information: link
Pragma version^0.7.4 (#3) allows old versions
Deploy with any of the following Solidity versions: 0.5.16 - 0.5.17, 0.6.11 - 0.6.12, 0.7.5 - 0.7.6 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.
Additional information: link
Function IDEXRouter.WETH() (#194) is not in mixedCase
Parameter BOG.migrateAutoLiquidityDEX(address,address)._router (#403) is not in mixedCase
Parameter BOG.migrateAutoLiquidityDEX(address,address)._liquifyPair (#403) is not in mixedCase
Parameter BOG.setFees(uint256,uint256,uint256)._liquidityFee (#426) is not in mixedCase
Parameter BOG.setFees(uint256,uint256,uint256)._stakingFee (#426) is not in mixedCase
Parameter BOG.setFees(uint256,uint256,uint256)._feeDenominator (#426) is not in mixedCase
Parameter BOG.setFeeReceivers(address,address)._autoLiquidityReceiver (#435) is not in mixedCase
Parameter BOG.setFeeReceivers(address,address)._stakingFeeReceiver (#435) is not in mixedCase
Constant BOG._name (#224) is not in UPPER_CASE_WITH_UNDERSCORES
Constant BOG._symbol (#225) is not in UPPER_CASE_WITH_UNDERSCORES
Constant BOG._decimals (#226) is not in UPPER_CASE_WITH_UNDERSCORES
Variable BOG._maxTxAmount (#229) is not in mixedCase
Variable BOG.WBNB (#245) is not in mixedCase
Follow the Solidity naming convention.
Additional information: link
BOG.slitherConstructorVariables() (#221-446) uses literals with too many digits:
- _totalSupply = 15000000 * (10 ** _decimals) (#228)
Use: Ether suffix, Time suffix, or The scientific notation
Additional information: link
authorize(address) should be declared external:
- BOGAuth.authorize(address) (#113-116)
unauthorize(address) should be declared external:
- BOGAuth.unauthorize(address) (#121-124)
transferOwnership(address) should be declared external:
- BOGAuth.transferOwnership(address) (#143-147)
unpause() should be declared external:
- BOGPausable.unpause() (#175-177)
Use the external attribute for functions never called from the contract.
Additional information: link
Young tokens have high risks of price dump / death
Unable to find Youtube account