BlueShib.swapBack() (#339-380) sends eth to arbitrary user
Dangerous calls:
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
BlueShib.manualSend() (#446-449) sends eth to arbitrary user
Dangerous calls:
- address(devFeeReceiver).transfer(contractETHBalance) (#448)
BlueShib.transferForeignToken(address) (#451-455) sends eth to arbitrary user
Dangerous calls:
- address(devFeeReceiver).transfer(_contractBalance) (#454)
Ensure that an arbitrary user cannot withdraw unauthorized funds.
Additional information: link
Reentrancy in BlueShib._transferFrom(address,address,uint256) (#274-300):
External calls:
- swapBack() (#289)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#350-356)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,devFeeReceiver,block.timestamp) (#370-377)
External calls sending eth:
- swapBack() (#289)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,devFeeReceiver,block.timestamp) (#370-377)
State variables written after the call(s):
- _balances[sender] = _balances[sender].sub(amount,Insufficient Balance) (#293)
- _balances[recipient] = _balances[recipient].add(amountReceived) (#296)
- amountReceived = takeFee(sender,recipient,amount) (#295)
- _balances[address(this)] = _balances[address(this)].add(feeAmount) (#326)
Apply the check-effects-interactions pattern.
Additional information: link
Unable to find manual contract audit (e.g. Certik, PeckShield, Solidity...)
Combination 1: Reentrancy vulnerabilities + Functions that send Ether to arbitraty destination. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.
Contract ownership is not renounced (belongs to a wallet)
BlueShib.slitherConstructorVariables() (#172-471) performs a multiplication on the result of a division:
-swapThreshold = _totalSupply / 10000 * 50 (#212)
Consider ordering multiplication before division.
Additional information: link
BlueShib.swapBack() (#339-380) ignores return value by router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,devFeeReceiver,block.timestamp) (#370-377)
Ensure that all the return values of the function calls are used.
Additional information: link
BlueShib.setFees(uint256,uint256,uint256,uint256) (#408-414) should emit an event for:
- liquidityFee = _liquidityFee (#409)
- marketingFee = _marketingFee (#410)
- devFee = _devFee (#411)
- totalFee = _liquidityFee.add(_marketingFee).add(_devFee) (#412)
- feeDenominator = _feeDenominator (#413)
BlueShib.setSellMultiplier(uint256) (#426-428) should emit an event for:
- _sellMultiplier = multiplier (#427)
BlueShib.setTxLimit(uint256) (#434-437) should emit an event for:
- _maxTxAmount = amountBuy (#435)
BlueShib.setSwapBackSettings(bool,uint256) (#438-441) should emit an event for:
- swapThreshold = _amount (#440)
Emit an event for critical parameter changes.
Additional information: link
Auth.transferOwnership(address).adr (#101) lacks a zero-check on :
- owner = adr (#102)
BlueShib.setFeeReceiver(address,address)._marketingFeeReceiver (#429) lacks a zero-check on :
- marketingFeeReceiver = _marketingFeeReceiver (#430)
BlueShib.setFeeReceiver(address,address)._devFeeReceiver (#429) lacks a zero-check on :
- devFeeReceiver = _devFeeReceiver (#431)
Check that the address is not zero.
Additional information: link
Reentrancy in BlueShib._transferFrom(address,address,uint256) (#274-300):
External calls:
- swapBack() (#289)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#350-356)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,devFeeReceiver,block.timestamp) (#370-377)
External calls sending eth:
- swapBack() (#289)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,devFeeReceiver,block.timestamp) (#370-377)
State variables written after the call(s):
- launch() (#291)
- launchedAt = block.number (#400)
Reentrancy in BlueShib.constructor() (#221-240):
External calls:
- pair = IDEXFactory(router.factory()).createPair(WBNB,address(this)) (#223)
State variables written after the call(s):
- _allowances[address(this)][address(router)] = type()(uint256).max (#224)
- _balances[_owner] = _totalSupply (#238)
- isFeeExempt[msg.sender] = true (#227)
- isTimelockExempt[msg.sender] = true (#233)
- isTimelockExempt[DEAD] = true (#234)
- isTimelockExempt[address(this)] = true (#235)
- isTxLimitExempt[address(this)] = true (#228)
- isTxLimitExempt[routerAddress] = true (#229)
- isTxLimitExempt[msg.sender] = true (#230)
Apply the check-effects-interactions pattern.
Additional information: link
Reentrancy in BlueShib._transferFrom(address,address,uint256) (#274-300):
External calls:
- swapBack() (#289)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#350-356)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,devFeeReceiver,block.timestamp) (#370-377)
External calls sending eth:
- swapBack() (#289)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,devFeeReceiver,block.timestamp) (#370-377)
Event emitted after the call(s):
- Transfer(sender,address(this),feeAmount) (#327)
- amountReceived = takeFee(sender,recipient,amount) (#295)
- Transfer(sender,recipient,amountReceived) (#298)
Reentrancy in BlueShib.constructor() (#221-240):
External calls:
- pair = IDEXFactory(router.factory()).createPair(WBNB,address(this)) (#223)
Event emitted after the call(s):
- Transfer(address(0),_owner,_totalSupply) (#239)
Reentrancy in BlueShib.swapBack() (#339-380):
External calls:
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#350-356)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,devFeeReceiver,block.timestamp) (#370-377)
External calls sending eth:
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,devFeeReceiver,block.timestamp) (#370-377)
Event emitted after the call(s):
- AutoLiquify(amountBNBLiquidity,amountToLiquify) (#378)
Apply the check-effects-interactions pattern.
Additional information: link
BlueShib._transferFrom(address,address,uint256) (#274-300) uses timestamp for comparisons
Dangerous comparisons:
- require(bool,string)(cooldownTimer[recipient] < block.timestamp,Please wait for 1min between two operations) (#286)
Avoid relying on block.timestamp.
Additional information: link
BlueShib.buyTokens(uint256,address) (#382-393) is never used and should be removed
Remove unused functions.
Additional information: link
BlueShib._maxTxAmount (#185) is set pre-construction with a non-constant function or state variable:
- (_totalSupply * 1) / 100
BlueShib._maxWalletSize (#186) is set pre-construction with a non-constant function or state variable:
- (_totalSupply * 2) / 100
BlueShib.swapThreshold (#212) is set pre-construction with a non-constant function or state variable:
- _totalSupply / 10000 * 50
Remove any initialization of state variables via non-constant state variables or function calls. If variables must be set upon contract deployment, locate initialization in the constructor instead.
Additional information: link
Pragma version^0.8.11 (#11) necessitates a version too recent to be trusted. Consider deploying with 0.6.12/0.7.6/0.8.7
solc-0.8.11 is not recommended for deployment
Deploy with any of the following Solidity versions: 0.5.16 - 0.5.17, 0.6.11 - 0.6.12, 0.7.5 - 0.7.6 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.
Additional information: link
Low level call in BlueShib.swapBack() (#339-380):
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#364)
- (devSuccess) = address(devFeeReceiver).call{gas: 30000,value: amountBNBdev}() (#366)
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code existence
Additional information: link
Variable Auth._intAddr (#76) is not in mixedCase
Function IDEXRouter.WETH() (#126) is not in mixedCase
Parameter BlueShib.setFees(uint256,uint256,uint256,uint256)._liquidityFee (#408) is not in mixedCase
Parameter BlueShib.setFees(uint256,uint256,uint256,uint256)._marketingFee (#408) is not in mixedCase
Parameter BlueShib.setFees(uint256,uint256,uint256,uint256)._devFee (#408) is not in mixedCase
Parameter BlueShib.setFees(uint256,uint256,uint256,uint256)._feeDenominator (#408) is not in mixedCase
Parameter BlueShib.cooldownEnabled(bool,uint8)._status (#416) is not in mixedCase
Parameter BlueShib.cooldownEnabled(bool,uint8)._interval (#416) is not in mixedCase
Parameter BlueShib.setFeeReceiver(address,address)._marketingFeeReceiver (#429) is not in mixedCase
Parameter BlueShib.setFeeReceiver(address,address)._devFeeReceiver (#429) is not in mixedCase
Parameter BlueShib.setSwapBackSettings(bool,uint256)._enabled (#438) is not in mixedCase
Parameter BlueShib.setSwapBackSettings(bool,uint256)._amount (#438) is not in mixedCase
Parameter BlueShib.isBots(address,bool)._address (#443) is not in mixedCase
Parameter BlueShib.isBots(address,bool)._value (#443) is not in mixedCase
Parameter BlueShib.transferForeignToken(address)._token (#451) is not in mixedCase
Variable BlueShib.WBNB (#175) is not in mixedCase
Variable BlueShib.DEAD (#176) is not in mixedCase
Variable BlueShib.ZERO (#177) is not in mixedCase
Constant BlueShib._name (#180) is not in UPPER_CASE_WITH_UNDERSCORES
Constant BlueShib._symbol (#181) is not in UPPER_CASE_WITH_UNDERSCORES
Constant BlueShib._decimals (#182) is not in UPPER_CASE_WITH_UNDERSCORES
Variable BlueShib._totalSupply (#184) is not in mixedCase
Variable BlueShib._maxTxAmount (#185) is not in mixedCase
Variable BlueShib._maxWalletSize (#186) is not in mixedCase
Variable BlueShib._balances (#188) is not in mixedCase
Variable BlueShib._allowances (#189) is not in mixedCase
Variable BlueShib._sellMultiplier (#201) is not in mixedCase
Follow the Solidity naming convention.
Additional information: link
Variable IDEXRouter.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountADesired (#131) is too similar to IDEXRouter.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountBDesired (#132)
Prevent variables from having similar names.
Additional information: link
BlueShib.slitherConstructorVariables() (#172-471) uses literals with too many digits:
- DEAD = 0x000000000000000000000000000000000000dEaD (#176)
BlueShib.slitherConstructorVariables() (#172-471) uses literals with too many digits:
- ZERO = 0x0000000000000000000000000000000000000000 (#177)
BlueShib.slitherConstructorVariables() (#172-471) uses literals with too many digits:
- _totalSupply = 1000000000000 * (10 ** _decimals) (#184)
Use: Ether suffix, Time suffix, or The scientific notation
Additional information: link
BlueShib.DEAD (#176) should be constant
BlueShib.WBNB (#175) should be constant
BlueShib.ZERO (#177) should be constant
BlueShib._totalSupply (#184) should be constant
BlueShib.routerAddress (#178) should be constant
Add the constant attributes to state variables that never change.
Additional information: link
transferOwnership(address) should be declared external:
- Auth.transferOwnership(address) (#101-105)
renounceOwnership() should be declared external:
- Auth.renounceOwnership() (#113-115)
cooldownEnabled(bool,uint8) should be declared external:
- BlueShib.cooldownEnabled(bool,uint8) (#416-419)
isBots(address,bool) should be declared external:
- BlueShib.isBots(address,bool) (#443-445)
transferForeignToken(address) should be declared external:
- BlueShib.transferForeignToken(address) (#451-455)
isOverLiquified(uint256,uint256) should be declared external:
- BlueShib.isOverLiquified(uint256,uint256) (#465-467)
Use the external attribute for functions never called from the contract.
Additional information: link
Contract ticker ($BSHIB) contains non-alphanumeric characters.
Not a direct threat, but may indicate unreliable intentions of developer. Non-alphanumeric chars (,.;!#*&") are extremely rare among low risk tokens.
Average 30d PancakeSwap liquidity is less than $100. Token is either dead or inactive.
Average 30d PancakeSwap volume is less than $100. Token is either dead or inactive.
Number of Binance Smart Chain (BSC) token holders is less than 100. Token is either dead or inactive. Ignore for presale.
Contract has 10% buy tax and 9% sell tax.
Taxes are low but contract ownership is not renounced. Token has a high risk of becoming a honeypot.
Average 30d number of PancakeSwap swaps is low.
Token is deployed only at one blockchain
Token has only one trading pair
Unable to find website, listings and other project-related information
Young tokens have high risks of scam / price dump / death
Token has no active CoinGecko listing / rank
Token has no active CoinMarketCap listing / rank
Unable to find Telegram and Twitter accounts