MYST [MYSTERY] Token

Mystery.swapBack(uint256) (#595-641) sends eth to arbitrary user
Dangerous calls:
- giveawayReceiver.transfer(amountGiveaway) (#636)
- devmarketingReceiver.transfer(amountDevMarketing) (#639)
Ensure that an arbitrary user cannot withdraw unauthorized funds.

Additional information: link

Reentrancy in Mystery._transferFrom(address,address,uint256) (#502-526):
External calls:
- swapBack(amount) (#520)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#607-613)
- router.addLiquidityETH{value: amountLiquidity}(address(this),amountToLiquify,0,0,liquidityReceiver,block.timestamp) (#624-631)
External calls sending eth:
- swapBack(amount) (#520)
- router.addLiquidityETH{value: amountLiquidity}(address(this),amountToLiquify,0,0,liquidityReceiver,block.timestamp) (#624-631)
- giveawayReceiver.transfer(amountGiveaway) (#636)
- devmarketingReceiver.transfer(amountDevMarketing) (#639)
State variables written after the call(s):
- _balances[recipient] += amountReceived (#522)
Apply the check-effects-interactions pattern.

Additional information: link

Combination 1: Reentrancy vulnerabilities + Functions that send Ether to arbitraty destination. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.

Mystery.getTotalFee(bool,bool) (#548-552) uses a dangerous strict equality:
- launchedAt == block.number (#549)
Don't use strict equality to determine if an account has enough Ether or tokens.

Additional information: link

Mystery.constructor(address,address,address)._lp (#424) lacks a zero-check on :
- liquidityReceiver = _lp (#426)
Mystery.constructor(address,address,address)._giveaway (#424) lacks a zero-check on :
- giveawayReceiver = address(_giveaway) (#427)
Mystery.constructor(address,address,address)._devmarketing (#424) lacks a zero-check on :
- devmarketingReceiver = address(_devmarketing) (#428)
Check that the address is not zero.

Additional information: link

Mystery.slitherConstructorConstantVariables() (#359-783) uses literals with too many digits:
- DEAD = 0x000000000000000000000000000000000000dEaD (#362)
Use: Ether suffix, Time suffix, or The scientific notation

Additional information: link

Address.isContract(address) (#44-53) uses assembly
- INLINE ASM (#51)
Address._functionCallWithValue(address,bytes,uint256,string) (#137-158) uses assembly
- INLINE ASM (#150-153)
Do not use evm assembly.

Additional information: link

Mystery.swapBack(uint256) (#595-641) ignores return value by router.addLiquidityETH{value: amountLiquidity}(address(this),amountToLiquify,0,0,liquidityReceiver,block.timestamp) (#624-631)
Ensure that all the return values of the function calls are used.

Additional information: link

Mystery._approve(address,address,uint256).owner (#478) shadows:
- Ownable.owner() (#325-327) (function)
Rename the local variables that shadow another component.

Additional information: link

Reentrancy in Mystery.constructor(address,address,address) (#424-445):
External calls:
- pair = IDEXFactory(router.factory()).createPair(router.WETH(),address(this)) (#431)
State variables written after the call(s):
- _allowances[owner()][routerAddress] = type()(uint256).max (#433)
- _allowances[address(this)][routerAddress] = type()(uint256).max (#434)
- _balances[owner()] = _totalSupply (#443)
- isFeeExempt[owner()] = true (#436)
- isTxLimitExempt[address(this)] = true (#439)
- isTxLimitExempt[owner()] = true (#440)
- isTxLimitExempt[routerAddress] = true (#441)
- liquidityPools[pair] = true (#432)
- liquidityProviders[owner()] = true (#437)
Apply the check-effects-interactions pattern.

Additional information: link

Reentrancy in Mystery._transferFrom(address,address,uint256) (#502-526):
External calls:
- swapBack(amount) (#520)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#607-613)
- router.addLiquidityETH{value: amountLiquidity}(address(this),amountToLiquify,0,0,liquidityReceiver,block.timestamp) (#624-631)
External calls sending eth:
- swapBack(amount) (#520)
- router.addLiquidityETH{value: amountLiquidity}(address(this),amountToLiquify,0,0,liquidityReceiver,block.timestamp) (#624-631)
- giveawayReceiver.transfer(amountGiveaway) (#636)
- devmarketingReceiver.transfer(amountDevMarketing) (#639)
Event emitted after the call(s):
- Transfer(sender,recipient,amountReceived) (#524)
Reentrancy in Mystery.constructor(address,address,address) (#424-445):
External calls:
- pair = IDEXFactory(router.factory()).createPair(router.WETH(),address(this)) (#431)
Event emitted after the call(s):
- Transfer(address(0),owner(),_totalSupply) (#444)
Reentrancy in Mystery.swapBack(uint256) (#595-641):
External calls:
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#607-613)
- router.addLiquidityETH{value: amountLiquidity}(address(this),amountToLiquify,0,0,liquidityReceiver,block.timestamp) (#624-631)
External calls sending eth:
- router.addLiquidityETH{value: amountLiquidity}(address(this),amountToLiquify,0,0,liquidityReceiver,block.timestamp) (#624-631)
Event emitted after the call(s):
- AutoLiquify(amountLiquidity,amountToLiquify) (#632)
Apply the check-effects-interactions pattern.

Additional information: link

Mystery.takeFee(address,address,uint256) (#554-583) uses timestamp for comparisons
Dangerous comparisons:
- highSellPeriod = ! liquidityPools[sender] && lastBuy[sender] + sellPeriod > block.timestamp (#556)
- block.timestamp > lastSell[sender] + antiDumpPeriod (#561)
Avoid relying on block.timestamp.

Additional information: link

Address._functionCallWithValue(address,bytes,uint256,string) (#137-158) is never used and should be removed
Address.functionCall(address,bytes) (#97-99) is never used and should be removed
Address.functionCall(address,bytes,string) (#107-109) is never used and should be removed
Address.functionCallWithValue(address,bytes,uint256) (#122-124) is never used and should be removed
Address.functionCallWithValue(address,bytes,uint256,string) (#132-135) is never used and should be removed
Address.isContract(address) (#44-53) is never used and should be removed
Address.sendValue(address,uint256) (#71-77) is never used and should be removed
Context._msgData() (#166-169) is never used and should be removed
Remove unused functions.

Additional information: link

Pragma version0.8.11 (#23) necessitates a version too recent to be trusted. Consider deploying with 0.6.12/0.7.6/0.8.7
solc-0.8.11 is not recommended for deployment
Deploy with any of the following Solidity versions: 0.5.16 - 0.5.17, 0.6.11 - 0.6.12, 0.7.5 - 0.7.6 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.

Additional information: link

Low level call in Address.sendValue(address,uint256) (#71-77):
- (success) = recipient.call{value: amount}() (#75)
Low level call in Address._functionCallWithValue(address,bytes,uint256,string) (#137-158):
- (success,returndata) = target.call{value: weiValue}(data) (#141)
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code existence

Additional information: link

Function IDEXRouter.WETH() (#250) is not in mixedCase
Parameter Mystery.setLiquidityProvider(address)._provider (#679) is not in mixedCase
Parameter Mystery.setSellPeriod(uint256,uint256)._sellPercentIncrease (#687) is not in mixedCase
Parameter Mystery.setSellPeriod(uint256,uint256)._period (#687) is not in mixedCase
Parameter Mystery.setAntiDumpTax(uint256,uint256,uint256,bool)._tax (#697) is not in mixedCase
Parameter Mystery.setAntiDumpTax(uint256,uint256,uint256,bool)._period (#697) is not in mixedCase
Parameter Mystery.setAntiDumpTax(uint256,uint256,uint256,bool)._threshold (#697) is not in mixedCase
Parameter Mystery.setAntiDumpTax(uint256,uint256,uint256,bool)._reserve0 (#697) is not in mixedCase
Parameter Mystery.setFees(uint256,uint256,uint256,uint256,uint256)._liquidityFee (#736) is not in mixedCase
Parameter Mystery.setFees(uint256,uint256,uint256,uint256,uint256)._giveawayFee (#736) is not in mixedCase
Parameter Mystery.setFees(uint256,uint256,uint256,uint256,uint256)._devmarketingFee (#736) is not in mixedCase
Parameter Mystery.setFees(uint256,uint256,uint256,uint256,uint256)._sellBias (#736) is not in mixedCase
Parameter Mystery.setFees(uint256,uint256,uint256,uint256,uint256)._feeDenominator (#736) is not in mixedCase
Parameter Mystery.setSwapBackSettings(bool,uint256,uint256)._enabled (#749) is not in mixedCase
Parameter Mystery.setSwapBackSettings(bool,uint256,uint256)._denominator (#749) is not in mixedCase
Parameter Mystery.setSwapBackSettings(bool,uint256,uint256)._denominatorMin (#749) is not in mixedCase
Parameter Mystery.setTargetLiquidity(uint256,uint256)._target (#757) is not in mixedCase
Parameter Mystery.setTargetLiquidity(uint256,uint256)._denominator (#757) is not in mixedCase
Parameter Mystery.addLiquidityPool(address,bool)._pool (#763) is not in mixedCase
Parameter Mystery.addLiquidityPool(address,bool)._enabled (#763) is not in mixedCase
Constant Mystery._name (#364) is not in UPPER_CASE_WITH_UNDERSCORES
Constant Mystery._symbol (#365) is not in UPPER_CASE_WITH_UNDERSCORES
Constant Mystery._decimals (#366) is not in UPPER_CASE_WITH_UNDERSCORES
Constant Mystery._totalSupply (#368) is not in UPPER_CASE_WITH_UNDERSCORES
Variable Mystery._maxTxAmount (#371) is not in mixedCase
Variable Mystery._maxWalletSize (#372) is not in mixedCase
Variable Mystery._balances (#374) is not in mixedCase
Variable Mystery._allowances (#375) is not in mixedCase
Constant Mystery.routerAddress (#408) is not in UPPER_CASE_WITH_UNDERSCORES
Follow the Solidity naming convention.

Additional information: link

Redundant expression "this (#167)" inContext (#161-170)
Remove redundant statements if they congest code but offer no value.

Additional information: link

Reentrancy in Mystery._transferFrom(address,address,uint256) (#502-526):
External calls:
- swapBack(amount) (#520)
- giveawayReceiver.transfer(amountGiveaway) (#636)
- devmarketingReceiver.transfer(amountDevMarketing) (#639)
External calls sending eth:
- swapBack(amount) (#520)
- router.addLiquidityETH{value: amountLiquidity}(address(this),amountToLiquify,0,0,liquidityReceiver,block.timestamp) (#624-631)
- giveawayReceiver.transfer(amountGiveaway) (#636)
- devmarketingReceiver.transfer(amountDevMarketing) (#639)
State variables written after the call(s):
- _balances[recipient] += amountReceived (#522)
Event emitted after the call(s):
- Transfer(sender,recipient,amountReceived) (#524)
Apply the check-effects-interactions pattern.

Additional information: link

Variable IDEXRouter.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountADesired (#255) is too similar to IDEXRouter.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountBDesired (#256)
Prevent variables from having similar names.

Additional information: link

Contract has 11% buy tax and 11% sell tax.
Taxes are high (over 10%) but contract ownership is renounced.

Token is deployed only at one blockchain

Token has only one trading pair

Unable to find token on CoinHunt

Additional information: link

Unable to find whitepaper link on the website

Young tokens have high risks of scam / price dump / death

Alexa traffic rank is relatively low

Additional information: link

Young tokens have high risks of scam / price dump / death

Young tokens have high risks of scam / price dump / death

Young tokens have high risks of scam / price dump / death

Young tokens have high risks of scam / price dump / death

Token has no active CoinGecko listing / rank

Token has relatively low CoinMarketCap rank