SurfMoon is a travel-based redistribution token on Binance Smart Chain. It is aiming to create a link between cryptocurrency, NFTs and the travel sector.
Unable to find manual contract audit (e.g. Certik, PeckShield, Solidity...)
SurfMoon.addLiquidity(uint256,uint256) (#1742-1754) sends eth to arbitrary user
Dangerous calls:
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#1745-1752)
Ensure that an arbitrary user cannot withdraw unauthorized funds.
Additional information: link
Reentrancy in DividendPayingToken._withdrawDividendOfUser(address) (#737-753):
External calls:
- (success) = user.call{gas: 3000,value: _withdrawableDividend}() (#742)
State variables written after the call(s):
- withdrawnDividends[user] = withdrawnDividends[user].sub(_withdrawableDividend) (#745)
Apply the check-effects-interactions pattern.
Additional information: link
SurfMoon.changeCooldownSettings(bool,uint8) (#1618-1622) contains a tautology or contradiction:
- require(bool,string)(newInterval <= 600,Exceeds the limit) (#1619)
Fix the incorrect comparison by changing the value type or the comparison.
Additional information: link
Combination 1: Reentrancy vulnerabilities + Functions that send Ether to arbitraty destination. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.
SurfMoon._transfer(address,address,uint256).claims (#1699) is a local variable never initialized
Initialize all the variables. If a variable is meant to be initialized to zero, explicitly set it to zero to improve code readability.
Additional information: link
SurfMoon.addLiquidity(uint256,uint256) (#1742-1754) ignores return value by uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#1745-1752)
Ensure that all the return values of the function calls are used.
Additional information: link
DividendPayingToken.constructor(string,string)._symbol (#694) shadows:
- ERC20._symbol (#335) (state variable)
Rename the local variables that shadow another component.
Additional information: link
SurfMoon.changeCooldownSettings(bool,uint8) (#1618-1622) should emit an event for:
- cooldownTimerInterval = newInterval (#1621)
Emit an event for critical parameter changes.
Additional information: link
SurfMoon.setMarketingWallet(address).wallet (#1510) lacks a zero-check on :
- _marketingWallet = wallet (#1511)
Check that the address is not zero.
Additional information: link
Variable 'SurfMoon._transfer(address,address,uint256).iterations (#1699)' in SurfMoon._transfer(address,address,uint256) (#1628-1704) potentially used before declaration: ProcessedDividendTracker(iterations,claims,lastProcessedIndex,true,gas,tx.origin) (#1700)
Move all variable declarations prior to any usage of the variable, and ensure that reaching a variable declaration does not depend on some conditional if it is used unconditionally.
Additional information: link
Reentrancy in SURFDividendTracker.processAccount(address,bool) (#1163-1173):
External calls:
- amount = _withdrawDividendOfUser(account) (#1164)
- (success) = user.call{gas: 3000,value: _withdrawableDividend}() (#742)
State variables written after the call(s):
- lastClaimTimes[account] = block.timestamp (#1167)
Apply the check-effects-interactions pattern.
Additional information: link
Reentrancy in SurfMoon.swapBack(uint256) (#1706-1740):
External calls:
- uniswapV2Router.swapExactTokensForETHSupportingFeeOnTransferTokens(amountToSwap,0,path,address(this),block.timestamp) (#1716-1722)
- addLiquidity(tokensToLP,bnbForLiquidity) (#1731)
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#1745-1752)
- (success) = address(dividendTracker).call{value: bnbForReflection}() (#1735)
External calls sending eth:
- addLiquidity(tokensToLP,bnbForLiquidity) (#1731)
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#1745-1752)
- address(_marketingWallet).transfer(bnbForMarketing) (#1733)
- (success) = address(dividendTracker).call{value: bnbForReflection}() (#1735)
Event emitted after the call(s):
- SendDividends(tokensToLiquify.mul(SellRewardsFee).div(SellTotalFees),bnbForReflection) (#1738)
Apply the check-effects-interactions pattern.
Additional information: link
SurfMoon._transfer(address,address,uint256) (#1628-1704) uses timestamp for comparisons
Dangerous comparisons:
- require(bool,string)(cooldownTimer[from] < block.timestamp,Please wait for cooldown between buys) (#1648)
Avoid relying on block.timestamp.
Additional information: link
SafeMathInt.mul(int256,int256) (#161-168) is never used and should be removed
Remove unused functions.
Additional information: link
solc-0.8.7 is not recommended for deployment
Deploy with any of the following Solidity versions: 0.5.16 - 0.5.17, 0.6.11 - 0.6.12, 0.7.5 - 0.7.6 Use a simple pragma version that allows any of these versions. Consider using the latest version of Solidity for testing.
Additional information: link
Low level call in SurfMoon.swapBack(uint256) (#1706-1740):
- (success) = address(dividendTracker).call{value: bnbForReflection}() (#1735)
Avoid low-level calls. Check the call success. If the call is meant for a contract, check for code existence
Additional information: link
Variable SurfMoon._isExcludedFromFees (#1407) is not in mixedCase
Follow the Solidity naming convention.
Additional information: link
Redundant expression "this (#228)" inContext (#222-231)
Remove redundant statements if they congest code but offer no value.
Additional information: link
Reentrancy in SurfMoon.swapBack(uint256) (#1706-1740):
External calls:
- address(_marketingWallet).transfer(bnbForMarketing) (#1733)
External calls sending eth:
- addLiquidity(tokensToLP,bnbForLiquidity) (#1731)
- uniswapV2Router.addLiquidityETH{value: ethAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#1745-1752)
- address(_marketingWallet).transfer(bnbForMarketing) (#1733)
- (success) = address(dividendTracker).call{value: bnbForReflection}() (#1735)
Event emitted after the call(s):
- SendDividends(tokensToLiquify.mul(SellRewardsFee).div(SellTotalFees),bnbForReflection) (#1738)
Apply the check-effects-interactions pattern.
Additional information: link
Variable IUniswapV2Router01.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountADesired (#1250) is too similar to IUniswapV2Router01.addLiquidity(address,address,uint256,uint256,uint256,uint256,address,uint256).amountBDesired (#1251)
Prevent variables from having similar names.
Additional information: link
SurfMoon.slitherConstructorVariables() (#1378-1778) uses literals with too many digits:
- gasForProcessing = 300000 (#1405)
Use: Ether suffix, Time suffix, or The scientific notation
Additional information: link
SurfMoon._presalerCollected (#1410) is never used in SurfMoon (#1378-1778)
Remove unused state variables.
Additional information: link
dividendTokenBalanceOf(address) should be declared external:
- SurfMoon.dividendTokenBalanceOf(address) (#1550-1552)
Use the external attribute for functions never called from the contract.
Additional information: link
BscScan page for the token does not contain additional info: website, socials, description, etc.
Additional information: link
Unable to find token contract audit
Unable to find audit link on the website
Unable to find token on CoinHunt
Additional information: link
Unable to find code repository for the project
Young tokens have high risks of price dump / death
Young tokens have high risks of scam / price dump / death
Young tokens have high risks of scam / price dump / death
Young tokens have high risks of price dump / death
Token has relatively low CoinGecko rank
Twitter account link seems to be invalid
Unable to find Youtube account
Unable to find Discord account