HPN [HyperonChain] Token

HyperonChain.contractSwap(uint256) (#587-623) sends eth to arbitrary user
Dangerous calls:
- reflector.load{value: rewardsBalance}() (#617)
- (success,None) = _taxWallets.marketing.call{gas: 35000,value: marketingBalance}() (#621)
Ensure that an arbitrary user cannot withdraw unauthorized funds.

Additional information: link

Reentrancy in HyperonChain._transfer(address,address,uint256) (#536-585):
External calls:
- contractSwap(contractTokenBalance) (#578)
- dexRouter.swapExactTokensForETHSupportingFeeOnTransferTokens(contractTokenBalance,0,path,address(this),block.timestamp) (#601-609)
- reflector.load{value: rewardsBalance}() (#617)
- (success,None) = _taxWallets.marketing.call{gas: 35000,value: marketingBalance}() (#621)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- reflector.tally(from,_tOwned[from]) (#691)
- reflector.tally(to,_tOwned[to]) (#694)
- antiSnipe.checkUser(from,to,amount) (#666-667)
- reflector.cashout(reflectorGas) (#697)
External calls sending eth:
- contractSwap(contractTokenBalance) (#578)
- reflector.load{value: rewardsBalance}() (#617)
- (success,None) = _taxWallets.marketing.call{gas: 35000,value: marketingBalance}() (#621)
State variables written after the call(s):
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- _liquidityHolders[from] = true (#628)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- _tOwned[address(this)] += feeAmount (#720)
- _tOwned[from] -= amount (#676)
- _tOwned[to] += amountReceived (#681)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- antiSnipe = AntiSnipe(address(this)) (#631)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- contractSwapEnabled = true (#636)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- reflector = Cashier(address(this)) (#634)
Apply the check-effects-interactions pattern.

Additional information: link

Unable to verify that contract auditor is trusted: Certik, Quantstamp, Hacken, Solidity, Paladinsec, Openzeppelin, Verichains

Contract ownership is not renounced (belongs to a wallet)

Combination 1: Reentrancy vulnerabilities + Functions that send Ether to arbitraty destination. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.

HyperonChain.finalizeTransfer(address,address,uint256,bool,bool,bool).check (#666) is a local variable never initialized
HyperonChain.finalizeTransfer(address,address,uint256,bool,bool,bool).checked (#665) is a local variable never initialized
Initialize all the variables. If a variable is meant to be initialized to zero, explicitly set it to zero to improve code readability.

Additional information: link

HyperonChain.finalizeTransfer(address,address,uint256,bool,bool,bool) (#657-687) ignores return value by antiSnipe.checkUser(from,to,amount) (#666-667)
Ensure that all the return values of the function calls are used.

Additional information: link

HyperonChain.setOperator(address).newOperator (#288) lacks a zero-check on :
- operator = newOperator (#295)
Check that the address is not zero.

Additional information: link

Reentrancy in HyperonChain.enableTrading() (#642-655):
External calls:
- antiSnipe.setLaunch(lpPair,uint32(block.number),uint64(block.timestamp),_decimals) (#648)
- reflector.initialize() (#649)
State variables written after the call(s):
- tradingEnabled = true (#650)
Reentrancy in HyperonChain.transferOwner(address) (#260-276):
External calls:
- finalizeTransfer(_owner,newOwner,balanceOf(_owner),false,false,true) (#269)
- reflector.tally(from,_tOwned[from]) (#691)
- reflector.tally(to,_tOwned[to]) (#694)
- antiSnipe.checkUser(from,to,amount) (#666-667)
- reflector.cashout(reflectorGas) (#697)
State variables written after the call(s):
- _owner = newOwner (#273)
Apply the check-effects-interactions pattern.

Additional information: link

HyperonChain.setLpPair(address,bool) (#362-374) uses timestamp for comparisons
Dangerous comparisons:
- timeSinceLastPair != 0 (#367)
- require(bool,string)(block.timestamp - timeSinceLastPair > 259200,Cannot set a new pair this week!) (#368)
Avoid relying on block.timestamp.

Additional information: link

Reentrancy in HyperonChain.transferOwner(address) (#260-276):
External calls:
- finalizeTransfer(_owner,newOwner,balanceOf(_owner),false,false,true) (#269)
- reflector.tally(from,_tOwned[from]) (#691)
- reflector.tally(to,_tOwned[to]) (#694)
- antiSnipe.checkUser(from,to,amount) (#666-667)
- reflector.cashout(reflectorGas) (#697)
Event emitted after the call(s):
- OwnershipTransferred(oldOwner,newOwner) (#274)
Reentrancy in HyperonChain.setNewRouter(address) (#348-360):
External calls:
- lpPair = IFactoryV2(_newRouter.factory()).createPair(address(this),_newRouter.WETH()) (#353)
Event emitted after the call(s):
- Approval(sender,spender,amount) (#328)
- _approve(address(this),address(dexRouter),type()(uint256).max) (#359)
Reentrancy in HyperonChain.finalizeTransfer(address,address,uint256,bool,bool,bool) (#657-687):
External calls:
- antiSnipe.checkUser(from,to,amount) (#666-667)
- processRewards(from,to) (#683)
- reflector.tally(from,_tOwned[from]) (#691)
- reflector.tally(to,_tOwned[to]) (#694)
- reflector.cashout(reflectorGas) (#697)
Event emitted after the call(s):
- Transfer(from,to,amountReceived) (#685)
Reentrancy in HyperonChain.finalizeTransfer(address,address,uint256,bool,bool,bool) (#657-687):
External calls:
- antiSnipe.checkUser(from,to,amount) (#666-667)
Event emitted after the call(s):
- Transfer(from,address(this),feeAmount) (#721)
- amountReceived = takeTaxes(from,amount,buy,sell,other) (#679)
Reentrancy in HyperonChain._transfer(address,address,uint256) (#536-585):
External calls:
- contractSwap(contractTokenBalance) (#578)
- dexRouter.swapExactTokensForETHSupportingFeeOnTransferTokens(contractTokenBalance,0,path,address(this),block.timestamp) (#601-609)
- reflector.load{value: rewardsBalance}() (#617)
- (success,None) = _taxWallets.marketing.call{gas: 35000,value: marketingBalance}() (#621)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- reflector.tally(from,_tOwned[from]) (#691)
- reflector.tally(to,_tOwned[to]) (#694)
- antiSnipe.checkUser(from,to,amount) (#666-667)
- reflector.cashout(reflectorGas) (#697)
External calls sending eth:
- contractSwap(contractTokenBalance) (#578)
- reflector.load{value: rewardsBalance}() (#617)
- (success,None) = _taxWallets.marketing.call{gas: 35000,value: marketingBalance}() (#621)
Event emitted after the call(s):
- ContractSwapEnabledUpdated(true) (#638)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- Transfer(from,address(this),feeAmount) (#721)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- Transfer(from,to,amountReceived) (#685)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
Apply the check-effects-interactions pattern.

Additional information: link

HyperonChain._checkLiquidityAdd(address,address) (#625-640) has costly operations inside a loop:
- reflector = Cashier(address(this)) (#634)
HyperonChain._checkLiquidityAdd(address,address) (#625-640) has costly operations inside a loop:
- _hasLiqBeenAdded = true (#629)
HyperonChain._checkLiquidityAdd(address,address) (#625-640) has costly operations inside a loop:
- antiSnipe = AntiSnipe(address(this)) (#631)
HyperonChain._checkLiquidityAdd(address,address) (#625-640) has costly operations inside a loop:
- contractSwapEnabled = true (#636)
HyperonChain._checkLiquidityAdd(address,address) (#625-640) has costly operations inside a loop:
- allowedPresaleExclusion = false (#637)
Use a local variable to hold the loop computation result.

Additional information: link

solc-0.8.16 is not recommended for deployment
Pragma version>=0.6.0<0.9.0 (#2) is too complex
Deploy with any of the following Solidity versions: 0.5.16 - 0.5.17, 0.6.11 - 0.6.12, 0.7.5 - 0.7.6 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.

Additional information: link

Low level call in HyperonChain.contractSwap(uint256) (#587-623):
- (success,None) = _taxWallets.marketing.call{gas: 35000,value: marketingBalance}() (#621)
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code existence

Additional information: link

HyperonChain.setPriceImpactSwapAmount(uint256) (#482-485) should emit an event for:
- piSwapPercent = priceImpactSwapPercent (#484)
HyperonChain.setMaxWalletSize(uint256,uint256) (#457-460) should emit an event for:
- _maxWalletSize = (_tTotal * percent) / divisor (#459)
HyperonChain.setReflectorSettings(uint256) (#499-502) should emit an event for:
- reflectorGas = gas (#501)
HyperonChain.setSwapSettings(uint256,uint256,uint256,uint256) (#474-480) should emit an event for:
- swapThreshold = (_tTotal * thresholdPercent) / thresholdDivisor (#475)
- swapAmount = (_tTotal * amountPercent) / amountDivisor (#476)
HyperonChain.setMaxTxPercent(uint256,uint256) (#452-455) should emit an event for:
- _maxTxAmount = (_tTotal * percent) / divisor (#454)
Emit an event for critical parameter changes.

Additional information: link

HyperonChain.processRewards(address,address) (#689-699) has external calls inside a loop: reflector.cashout(reflectorGas) (#697)
HyperonChain.finalizeTransfer(address,address,uint256,bool,bool,bool) (#657-687) has external calls inside a loop: antiSnipe.checkUser(from,to,amount) (#666-667)
HyperonChain.processRewards(address,address) (#689-699) has external calls inside a loop: reflector.tally(to,_tOwned[to]) (#694)
HyperonChain.processRewards(address,address) (#689-699) has external calls inside a loop: reflector.tally(from,_tOwned[from]) (#691)
Favor pull over push strategy for external calls.

Additional information: link

Variable 'HyperonChain.finalizeTransfer(address,address,uint256,bool,bool,bool).check (#666)' in HyperonChain.finalizeTransfer(address,address,uint256,bool,bool,bool) (#657-687) potentially used before declaration: checked = check (#667)
Move all variable declarations prior to any usage of the variable, and ensure that reaching a variable declaration does not depend on some conditional if it is used unconditionally.

Additional information: link

Reentrancy in HyperonChain.setNewRouter(address) (#348-360):
External calls:
- lpPair = IFactoryV2(_newRouter.factory()).createPair(address(this),_newRouter.WETH()) (#353)
State variables written after the call(s):
- _approve(address(this),address(dexRouter),type()(uint256).max) (#359)
- _allowances[sender][spender] = amount (#327)
- dexRouter = _newRouter (#358)
Reentrancy in HyperonChain._transfer(address,address,uint256) (#536-585):
External calls:
- contractSwap(contractTokenBalance) (#578)
- dexRouter.swapExactTokensForETHSupportingFeeOnTransferTokens(contractTokenBalance,0,path,address(this),block.timestamp) (#601-609)
- reflector.load{value: rewardsBalance}() (#617)
- (success,None) = _taxWallets.marketing.call{gas: 35000,value: marketingBalance}() (#621)
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- reflector.tally(from,_tOwned[from]) (#691)
- reflector.tally(to,_tOwned[to]) (#694)
- antiSnipe.checkUser(from,to,amount) (#666-667)
- reflector.cashout(reflectorGas) (#697)
External calls sending eth:
- contractSwap(contractTokenBalance) (#578)
- reflector.load{value: rewardsBalance}() (#617)
- (success,None) = _taxWallets.marketing.call{gas: 35000,value: marketingBalance}() (#621)
State variables written after the call(s):
- finalizeTransfer(from,to,amount,buy,sell,other) (#584)
- allowedPresaleExclusion = false (#637)
Reentrancy in HyperonChain.enableTrading() (#642-655):
External calls:
- antiSnipe.setLaunch(lpPair,uint32(block.number),uint64(block.timestamp),_decimals) (#648)
- reflector.initialize() (#649)
State variables written after the call(s):
- allowedPresaleExclusion = false (#652)
- processReflect = true (#651)
- swapAmount = (balanceOf(lpPair) * 30) / 10000 (#654)
- swapThreshold = (balanceOf(lpPair) * 10) / 10000 (#653)
Reentrancy in HyperonChain.finalizeTransfer(address,address,uint256,bool,bool,bool) (#657-687):
External calls:
- antiSnipe.checkUser(from,to,amount) (#666-667)
State variables written after the call(s):
- _tOwned[from] -= amount (#676)
- amountReceived = takeTaxes(from,amount,buy,sell,other) (#679)
- _tOwned[address(this)] += feeAmount (#720)
- _tOwned[to] += amountReceived (#681)
Reentrancy in HyperonChain.excludePresaleAddresses(address,address) (#504-521):
External calls:
- setDividendExcluded(router,true) (#518)
- reflector.tally(holder,0) (#407)
- reflector.tally(holder,_tOwned[holder]) (#409)
- setDividendExcluded(presale,true) (#519)
- reflector.tally(holder,0) (#407)
- reflector.tally(holder,_tOwned[holder]) (#409)
State variables written after the call(s):
- setDividendExcluded(presale,true) (#519)
- _isExcludedFromDividends[holder] = enabled (#405)
Apply the check-effects-interactions pattern.

Additional information: link

Variable HyperonChain._taxRates (#144-148) is not in mixedCase
Constant HyperonChain.masterTaxDivisor (#160) is not in UPPER_CASE_WITH_UNDERSCORES
Variable HyperonChain._allowances (#116) is not in mixedCase
Function IRouter01.WETH() (#33) is not in mixedCase
Constant HyperonChain.maxTransferTaxes (#158) is not in UPPER_CASE_WITH_UNDERSCORES
Constant HyperonChain._name (#126) is not in UPPER_CASE_WITH_UNDERSCORES
Parameter HyperonChain.setProtectionSettings(bool,bool)._antiSnipe (#425) is not in mixedCase
Constant HyperonChain.maxBuyTaxes (#156) is not in UPPER_CASE_WITH_UNDERSCORES
Constant HyperonChain.maxSellTaxes (#157) is not in UPPER_CASE_WITH_UNDERSCORES
Variable HyperonChain._hasLiqBeenAdded (#192) is not in mixedCase
Variable HyperonChain._tOwned (#113) is not in mixedCase
Constant HyperonChain.maxRoundtripTax (#159) is not in UPPER_CASE_WITH_UNDERSCORES
Constant HyperonChain._tTotal (#130) is not in UPPER_CASE_WITH_UNDERSCORES
Variable HyperonChain._ratios (#150-154) is not in mixedCase
Parameter HyperonChain.setRewardsProperties(uint256,uint256,uint256)._minPeriod (#494) is not in mixedCase
Constant HyperonChain._decimals (#128) is not in UPPER_CASE_WITH_UNDERSCORES
Variable HyperonChain._taxWallets (#172-174) is not in mixedCase
Constant HyperonChain.startingSupply (#125) is not in UPPER_CASE_WITH_UNDERSCORES
Constant HyperonChain._symbol (#127) is not in UPPER_CASE_WITH_UNDERSCORES
Parameter HyperonChain.setProtectionSettings(bool,bool)._antiBlock (#425) is not in mixedCase
Parameter HyperonChain.setRewardsProperties(uint256,uint256,uint256)._minReflection (#494) is not in mixedCase
Follow the Solidity naming convention.

Additional information: link

Variable HyperonChain.setInitializers(address,address).aInitializer (#376) is too similar to HyperonChain.setInitializers(address,address).cInitializer (#376)
Variable IRouter01.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountADesired (#45) is too similar to IRouter01.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountBDesired (#46)
Prevent variables from having similar names.

Additional information: link

HyperonChain.slitherConstructorVariables() (#112-767) uses literals with too many digits:
- reflectorGas = 300000 (#180)
HyperonChain.slitherConstructorConstantVariables() (#112-767) uses literals with too many digits:
- ZERO = 0x0000000000000000000000000000000000000000 (#166)
HyperonChain.slitherConstructorConstantVariables() (#112-767) uses literals with too many digits:
- DEAD = 0x000000000000000000000000000000000000dEaD (#165)
Use: Ether suffix, Time suffix, or The scientific notation

Additional information: link

getMaxWallet() should be declared external:
- HyperonChain.getMaxWallet() (#466-468)
approveContractContingency() should be declared external:
- HyperonChain.approveContractContingency() (#331-334)
enableTrading() should be declared external:
- HyperonChain.enableTrading() (#642-655)
getMaxTX() should be declared external:
- HyperonChain.getMaxTX() (#462-464)
setNewRouter(address) should be declared external:
- HyperonChain.setNewRouter(address) (#348-360)
Use the external attribute for functions never called from the contract.

Additional information: link

Average 30d PancakeSwap liquidity is less than $100. Token is either dead or inactive.

Average 30d number of PancakeSwap swaps is less than 1. Token is either dead or inactive.

Contract has 2% buy tax and 4% sell tax.
Taxes are low but contract ownership is not renounced. Token has a high risk of becoming a honeypot.

Token is deployed only at one blockchain

Token is not listed at Mobula.Finance

Additional information: link

Unable to find token on CoinHunt

Additional information: link

Young tokens have high risks of scam / price dump / death

Young tokens have high risks of scam / price dump / death

Young tokens have high risks of price dump / death

Young tokens have high risks of price dump / death

Young tokens have high risks of price dump / death

Token has relatively low CoinGecko rank