STARS [Mogul Stars] Token

Contract ownership is not renounced (belongs to a wallet)

AnyswapV5ERC20.depositWithTransferPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#331-334) ignores return value by IERC20(underlying).transferWithPermit(target,address(this),value,deadline,v,r,s) (#332)
Ensure that all the return values of the function calls are used.

Additional information: link

AnyswapV5ERC20.initVault(address)._vault (#195) lacks a zero-check on :
- vault = _vault (#197)
- pendingVault = _vault (#198)
AnyswapV5ERC20.setMinter(address)._auth (#205) lacks a zero-check on :
- pendingMinter = _auth (#206)
AnyswapV5ERC20.setVault(address)._vault (#210) lacks a zero-check on :
- pendingVault = _vault (#211)
AnyswapV5ERC20.constructor(string,string,uint8,address,address)._underlying (#290) lacks a zero-check on :
- underlying = _underlying (#294)
AnyswapV5ERC20.constructor(string,string,uint8,address,address)._vault (#290) lacks a zero-check on :
- vault = _vault (#305)
- pendingVault = _vault (#306)
Check that the address is not zero.

Additional information: link

Reentrancy in AnyswapV5ERC20.deposit() (#336-340):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),_amount) (#338)
State variables written after the call(s):
- _deposit(_amount,msg.sender) (#339)
- _totalSupply += amount (#396)
- _deposit(_amount,msg.sender) (#339)
- balanceOf[account] += amount (#397)
Reentrancy in AnyswapV5ERC20.deposit(uint256) (#342-345):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),amount) (#343)
State variables written after the call(s):
- _deposit(amount,msg.sender) (#344)
- _totalSupply += amount (#396)
- _deposit(amount,msg.sender) (#344)
- balanceOf[account] += amount (#397)
Reentrancy in AnyswapV5ERC20.deposit(uint256,address) (#347-350):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),amount) (#348)
State variables written after the call(s):
- _deposit(amount,to) (#349)
- _totalSupply += amount (#396)
- _deposit(amount,to) (#349)
- balanceOf[account] += amount (#397)
Reentrancy in AnyswapV5ERC20.depositWithPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#325-329):
External calls:
- IERC20(underlying).permit(target,address(this),value,deadline,v,r,s) (#326)
- IERC20(underlying).safeTransferFrom(target,address(this),value) (#327)
State variables written after the call(s):
- _deposit(value,to) (#328)
- _totalSupply += amount (#396)
- _deposit(value,to) (#328)
- balanceOf[account] += amount (#397)
Reentrancy in AnyswapV5ERC20.depositWithTransferPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#331-334):
External calls:
- IERC20(underlying).transferWithPermit(target,address(this),value,deadline,v,r,s) (#332)
State variables written after the call(s):
- _deposit(value,to) (#333)
- _totalSupply += amount (#396)
- _deposit(value,to) (#333)
- balanceOf[account] += amount (#397)
Apply the check-effects-interactions pattern.

Additional information: link

Reentrancy in AnyswapV5ERC20.deposit() (#336-340):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),_amount) (#338)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#398)
- _deposit(_amount,msg.sender) (#339)
Reentrancy in AnyswapV5ERC20.deposit(uint256) (#342-345):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),amount) (#343)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#398)
- _deposit(amount,msg.sender) (#344)
Reentrancy in AnyswapV5ERC20.deposit(uint256,address) (#347-350):
External calls:
- IERC20(underlying).safeTransferFrom(msg.sender,address(this),amount) (#348)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#398)
- _deposit(amount,to) (#349)
Reentrancy in AnyswapV5ERC20.depositWithPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#325-329):
External calls:
- IERC20(underlying).permit(target,address(this),value,deadline,v,r,s) (#326)
- IERC20(underlying).safeTransferFrom(target,address(this),value) (#327)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#398)
- _deposit(value,to) (#328)
Reentrancy in AnyswapV5ERC20.depositWithTransferPermit(address,uint256,uint256,uint8,bytes32,bytes32,address) (#331-334):
External calls:
- IERC20(underlying).transferWithPermit(target,address(this),value,deadline,v,r,s) (#332)
Event emitted after the call(s):
- Transfer(address(0),account,amount) (#398)
- _deposit(value,to) (#333)
Apply the check-effects-interactions pattern.

Additional information: link

AnyswapV5ERC20.mpc() (#184-189) uses timestamp for comparisons
Dangerous comparisons:
- block.timestamp >= delayVault (#185)
AnyswapV5ERC20.applyVault() (#215-218) uses timestamp for comparisons
Dangerous comparisons:
- require(bool)(block.timestamp >= delayVault) (#216)
AnyswapV5ERC20.applyMinter() (#220-224) uses timestamp for comparisons
Dangerous comparisons:
- require(bool)(block.timestamp >= delayMinter) (#221)
AnyswapV5ERC20.permit(address,address,uint256,uint256,uint8,bytes32,bytes32) (#453-470) uses timestamp for comparisons
Dangerous comparisons:
- require(bool,string)(block.timestamp <= deadline,AnyswapV3ERC20: Expired permit) (#454)
AnyswapV5ERC20.transferWithPermit(address,address,uint256,uint256,uint8,bytes32,bytes32) (#472-496) uses timestamp for comparisons
Dangerous comparisons:
- require(bool,string)(block.timestamp <= deadline,AnyswapV3ERC20: Expired permit) (#473)
Avoid relying on block.timestamp.

Additional information: link

Address.isContract(address) (#87-93) uses assembly
- INLINE ASM (#91)
AnyswapV5ERC20.constructor(string,string,uint8,address,address) (#290-318) uses assembly
- INLINE ASM (#310)
Do not use evm assembly.

Additional information: link

SafeERC20.safeApprove(IERC20,address,uint256) (#107-112) is never used and should be removed
Remove unused functions.

Additional information: link

Pragma version0.8.2 (#15) allows old versions
solc-0.8.2 is not recommended for deployment
Deploy with any of the following Solidity versions: 0.5.16 - 0.5.17, 0.6.11 - 0.6.12, 0.7.5 - 0.7.6 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.

Additional information: link

Low level call in SafeERC20.callOptionalReturn(IERC20,bytes) (#113-124):
- (success,returndata) = address(token).call(data) (#117)
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code existence

Additional information: link

Parameter AnyswapV5ERC20.initVault(address)._vault (#195) is not in mixedCase
Parameter AnyswapV5ERC20.setMinter(address)._auth (#205) is not in mixedCase
Parameter AnyswapV5ERC20.setVault(address)._vault (#210) is not in mixedCase
Parameter AnyswapV5ERC20.revokeMinter(address)._auth (#227) is not in mixedCase
Function AnyswapV5ERC20.Swapin(bytes32,address,uint256) (#263-267) is not in mixedCase
Function AnyswapV5ERC20.Swapout(uint256,address) (#269-275) is not in mixedCase
Variable AnyswapV5ERC20.DOMAIN_SEPARATOR (#137) is not in mixedCase
Follow the Solidity naming convention.

Additional information: link

AnyswapV5ERC20.delay (#150) should be constant
AnyswapV5ERC20.delayDelay (#167) should be constant
AnyswapV5ERC20.pendingDelay (#166) should be constant
Add the constant attributes to state variables that never change.

Additional information: link

owner() should be declared external:
- AnyswapV5ERC20.owner() (#180-182)
changeMPCOwner(address) should be declared external:
- AnyswapV5ERC20.changeMPCOwner(address) (#244-250)
Swapin(bytes32,address,uint256) should be declared external:
- AnyswapV5ERC20.Swapin(bytes32,address,uint256) (#263-267)
Swapout(uint256,address) should be declared external:
- AnyswapV5ERC20.Swapout(uint256,address) (#269-275)
Use the external attribute for functions never called from the contract.

Additional information: link

Unable to find whitepaper link on the website

Token is not listed at Mobula.Finance

Additional information: link

Young tokens have high risks of price dump / death