MetaCupidVerse aims to build and deploy a productive platform that provides passive income, auto-staking, assisting people towards finacial freedom.
Unable to find manual contract audit (e.g. Certik, PeckShield, Solidity...)
CUPID.swapBack() (#338-379) sends eth to arbitrary user
Dangerous calls:
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
Ensure that an arbitrary user cannot withdraw unauthorized funds.
Additional information: link
Reentrancy in CUPID._transferFrom(address,address,uint256) (#279-299):
External calls:
- swapBack() (#288)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#349-355)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,marketingFeeReceiver,block.timestamp) (#369-376)
External calls sending eth:
- swapBack() (#288)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,marketingFeeReceiver,block.timestamp) (#369-376)
State variables written after the call(s):
- _balances[sender] = _balances[sender].sub(amount,Insufficient Balance) (#292)
- _balances[recipient] = _balances[recipient].add(amountReceived) (#295)
- amountReceived = takeFee(sender,recipient,amount) (#294)
- _balances[address(this)] = _balances[address(this)].add(feeAmount) (#325)
Apply the check-effects-interactions pattern.
Additional information: link
Combination 1: Reentrancy vulnerabilities + Functions that send Ether to arbitraty destination. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.
CUPID.slitherConstructorVariables() (#194-463) performs a multiplication on the result of a division:
-swapThreshold = _totalSupply / 1000 * 5 (#230)
Consider ordering multiplication before division.
Additional information: link
CUPID.swapBack() (#338-379) ignores return value by router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,marketingFeeReceiver,block.timestamp) (#369-376)
Ensure that all the return values of the function calls are used.
Additional information: link
CUPID.setTxLimit(uint256) (#402-405) should emit an event for:
- _maxTxAmount = amount (#404)
CUPID.setFees(uint256,uint256,uint256,uint256) (#420-426) should emit an event for:
- liquidityFee = _liquidityFee (#421)
- buybackFee = _buybackFee (#422)
- marketingFee = _marketingFee (#423)
- totalFee = _liquidityFee.add(_buybackFee).add(_marketingFee) (#424)
- feeDenominator = _feeDenominator (#425)
Emit an event for critical parameter changes.
Additional information: link
Auth.transferOwnership(address).adr (#133) lacks a zero-check on :
- owner = adr (#134)
CUPID.setFeeReceiver(address,address)._marketingFeeReceiver (#428) lacks a zero-check on :
- marketingFeeReceiver = _marketingFeeReceiver (#429)
CUPID.setFeeReceiver(address,address)._buybackFeeReceiver (#428) lacks a zero-check on :
- buybackFeeReceiver = _buybackFeeReceiver (#430)
Check that the address is not zero.
Additional information: link
Reentrancy in CUPID._transferFrom(address,address,uint256) (#279-299):
External calls:
- swapBack() (#288)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#349-355)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,marketingFeeReceiver,block.timestamp) (#369-376)
External calls sending eth:
- swapBack() (#288)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,marketingFeeReceiver,block.timestamp) (#369-376)
State variables written after the call(s):
- launch() (#290)
- launchedAt = block.number (#399)
Reentrancy in CUPID.constructor() (#234-245):
External calls:
- pair = IDEXFactory(router.factory()).createPair(WBNB,address(this)) (#236)
State variables written after the call(s):
- _allowances[address(this)][address(router)] = type()(uint256).max (#237)
- _balances[_owner] = _totalSupply (#243)
- isFeeExempt[_owner] = true (#240)
- isTxLimitExempt[_owner] = true (#241)
Apply the check-effects-interactions pattern.
Additional information: link
Reentrancy in CUPID._transferFrom(address,address,uint256) (#279-299):
External calls:
- swapBack() (#288)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#349-355)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,marketingFeeReceiver,block.timestamp) (#369-376)
External calls sending eth:
- swapBack() (#288)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,marketingFeeReceiver,block.timestamp) (#369-376)
Event emitted after the call(s):
- Transfer(sender,address(this),feeAmount) (#326)
- amountReceived = takeFee(sender,recipient,amount) (#294)
- Transfer(sender,recipient,amountReceived) (#297)
Reentrancy in CUPID.constructor() (#234-245):
External calls:
- pair = IDEXFactory(router.factory()).createPair(WBNB,address(this)) (#236)
Event emitted after the call(s):
- Transfer(address(0),_owner,_totalSupply) (#244)
Reentrancy in CUPID.swapBack() (#338-379):
External calls:
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#349-355)
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,marketingFeeReceiver,block.timestamp) (#369-376)
External calls sending eth:
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
- router.addLiquidityETH{value: amountBNBLiquidity}(address(this),amountToLiquify,0,0,marketingFeeReceiver,block.timestamp) (#369-376)
Event emitted after the call(s):
- AutoLiquify(amountBNBLiquidity,amountToLiquify) (#377)
Apply the check-effects-interactions pattern.
Additional information: link
CUPID.buyTokens(uint256,address) (#381-392) is never used and should be removed
Remove unused functions.
Additional information: link
CUPID._maxTxAmount (#206) is set pre-construction with a non-constant function or state variable:
- (_totalSupply * 1) / 100
CUPID._maxWalletSize (#207) is set pre-construction with a non-constant function or state variable:
- (_totalSupply * 1) / 100
CUPID.swapThreshold (#230) is set pre-construction with a non-constant function or state variable:
- _totalSupply / 1000 * 5
Remove any initialization of state variables via non-constant state variables or function calls. If variables must be set upon contract deployment, locate initialization in the constructor instead.
Additional information: link
Low level call in CUPID.swapBack() (#338-379):
- (MarketingSuccess) = address(marketingFeeReceiver).call{gas: 30000,value: amountBNBMarketing}() (#363)
- (buybackSuccess) = address(buybackFeeReceiver).call{gas: 30000,value: amountBNBbuyback}() (#365)
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code existence
Additional information: link
Function IDEXRouter.WETH() (#148) is not in mixedCase
Parameter CUPID.setFees(uint256,uint256,uint256,uint256)._liquidityFee (#420) is not in mixedCase
Parameter CUPID.setFees(uint256,uint256,uint256,uint256)._buybackFee (#420) is not in mixedCase
Parameter CUPID.setFees(uint256,uint256,uint256,uint256)._marketingFee (#420) is not in mixedCase
Parameter CUPID.setFees(uint256,uint256,uint256,uint256)._feeDenominator (#420) is not in mixedCase
Parameter CUPID.setFeeReceiver(address,address)._marketingFeeReceiver (#428) is not in mixedCase
Parameter CUPID.setFeeReceiver(address,address)._buybackFeeReceiver (#428) is not in mixedCase
Parameter CUPID.setSwapBackSettings(bool,uint256)._enabled (#433) is not in mixedCase
Parameter CUPID.setSwapBackSettings(bool,uint256)._amount (#433) is not in mixedCase
Parameter CUPID.transferForeignToken(address)._token (#443) is not in mixedCase
Variable CUPID.WBNB (#197) is not in mixedCase
Variable CUPID.DEAD (#198) is not in mixedCase
Variable CUPID.ZERO (#199) is not in mixedCase
Constant CUPID._name (#201) is not in UPPER_CASE_WITH_UNDERSCORES
Constant CUPID._symbol (#202) is not in UPPER_CASE_WITH_UNDERSCORES
Constant CUPID._decimals (#203) is not in UPPER_CASE_WITH_UNDERSCORES
Variable CUPID._totalSupply (#205) is not in mixedCase
Variable CUPID._maxTxAmount (#206) is not in mixedCase
Variable CUPID._maxWalletSize (#207) is not in mixedCase
Variable CUPID._balances (#209) is not in mixedCase
Variable CUPID._allowances (#210) is not in mixedCase
Follow the Solidity naming convention.
Additional information: link
Variable IDEXRouter.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountADesired (#153) is too similar to IDEXRouter.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountBDesired (#154)
Prevent variables from having similar names.
Additional information: link
CUPID.slitherConstructorVariables() (#194-463) uses literals with too many digits:
- DEAD = 0x000000000000000000000000000000000000dEaD (#198)
CUPID.slitherConstructorVariables() (#194-463) uses literals with too many digits:
- ZERO = 0x0000000000000000000000000000000000000000 (#199)
CUPID.slitherConstructorVariables() (#194-463) uses literals with too many digits:
- _totalSupply = 1000000000 * (10 ** _decimals) (#205)
Use: Ether suffix, Time suffix, or The scientific notation
Additional information: link
CUPID.DEAD (#198) should be constant
CUPID.WBNB (#197) should be constant
CUPID.ZERO (#199) should be constant
CUPID._totalSupply (#205) should be constant
Add the constant attributes to state variables that never change.
Additional information: link
authorize(address) should be declared external:
- Auth.authorize(address) (#105-107)
unauthorize(address) should be declared external:
- Auth.unauthorize(address) (#112-114)
transferOwnership(address) should be declared external:
- Auth.transferOwnership(address) (#133-137)
transferForeignToken(address) should be declared external:
- CUPID.transferForeignToken(address) (#443-447)
isOverLiquified(uint256,uint256) should be declared external:
- CUPID.isOverLiquified(uint256,uint256) (#457-459)
Use the external attribute for functions never called from the contract.
Additional information: link
Unable to find website, listings and other project-related information
Young tokens have high risks of scam / price dump / death
Token has no active CoinGecko listing / rank
Token has no active CoinMarketCap listing / rank
Unable to find Twitter account
Telegram account has relatively few subscribers
Unable to find Blog account (Reddit or Medium)
Unable to find Youtube account
Unable to find Discord account