Our goal is to ensure the safety of all crypto investors by creating an iOS/Android app that will automatically check for red flags in any token by simply entering the contract address! TARP SCORE
With the launch of our contract reader app, we will be introducing the “TARP Score”. Once the app has completed its automated assessment of a contract, it will generate a TARP Score that will range from 0 (BAD) to 100 (GOOD) determining the relative risk or safety of the token. DETAILS
The TARP Contract Reader app distinguishes itself from all competitors by advancing contract risk evaluation to the next level. Not only will it generate a TARP Score, but it will also provide detailed explanations for every red flag, so the potential risk is clear and easy to understand.
Unable to find manual contract audit (e.g. Certik, PeckShield, Solidity...)
TARP.addLiquidity(uint256,uint256) (#552-565) sends eth to arbitrary user
Dangerous calls:
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
Ensure that an arbitrary user cannot withdraw unauthorized funds.
Additional information: link
Reentrancy in TARP._transfer(address,address,uint256) (#462-491):
External calls:
- swapAndLiquify(swapTokensAtAmount) (#487)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#576-582)
External calls sending eth:
- swapAndLiquify(swapTokensAtAmount) (#487)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- address(devAddress).transfer(devAmt) (#547)
State variables written after the call(s):
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- _rOwned[address(this)] += rDev (#388)
- _rOwned[address(this)] += rLiquidity (#378)
- _rOwned[deadAddress] += rBurn (#398)
- _rOwned[sender] = _rOwned[sender] - s.rAmount (#506)
- _rOwned[recipient] = _rOwned[recipient] + s.rTransferAmount (#507)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- _rTotal -= rRfi (#367)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- _tOwned[address(this)] += tLiquidity (#376)
- _tOwned[sender] = _tOwned[sender] - tAmount (#500)
- _tOwned[deadAddress] += tBurn (#396)
- _tOwned[address(this)] += tDev (#386)
- _tOwned[recipient] = _tOwned[recipient] + s.tTransferAmount (#503)
Apply the check-effects-interactions pattern.
Additional information: link
TARP.rescueAnyBEP20Tokens(address,address,uint256) (#637-639) ignores return value by IERC20(_tokenAddr).transfer(_to,_amount) (#638)
Use SafeERC20, or ensure that the transfer/transferFrom return value is checked.
Additional information: link
Combination 1: Reentrancy vulnerabilities + Functions that send Ether to arbitraty destination. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.
Combination 3: Reentrancy vulnerabilities + Unchecked transfer vulnerability. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.
Combination 2: Unchecked transfer + Functions that send Ether to arbitraty destination. Usual for scams. May be justified by some complex mechanics (e.g. rebase, reflections). DYOR & manual audit are advised.
Contract ownership is not renounced (belongs to a wallet)
Context._msgData() (#82-85) is never used and should be removed
Remove unused functions.
Additional information: link
TARP._rTotal (#167) is set pre-construction with a non-constant function or state variable:
- (MAX - (MAX % _tTotal))
Remove any initialization of state variables via non-constant state variables or function calls. If variables must be set upon contract deployment, locate initialization in the constructor instead.
Additional information: link
Redundant expression "this (#83)" inContext (#77-86)
Remove redundant statements if they congest code but offer no value.
Additional information: link
TARP.slitherConstructorConstantVariables() (#146-644) uses literals with too many digits:
- deadAddress = 0x000000000000000000000000000000000000dEaD (#178)
TARP.slitherConstructorVariables() (#146-644) uses literals with too many digits:
- swapTokensAtAmount = 2000000 * 10 ** _decimals (#170)
TARP.slitherConstructorVariables() (#146-644) uses literals with too many digits:
- maxTxAmount = 10000000000 * 10 ** _decimals (#171)
Use: Ether suffix, Time suffix, or The scientific notation
Additional information: link
Reentrancy in TARP.swapAndLiquify(uint256) (#526-550):
External calls:
- swapTokensForBNB(toSwap) (#534)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#576-582)
- addLiquidity(tokensToAddLiquidityWith,bnbToAddLiquidityWith) (#542)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
External calls sending eth:
- addLiquidity(tokensToAddLiquidityWith,bnbToAddLiquidityWith) (#542)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
Event emitted after the call(s):
- Approval(owner,spender,amount) (#458)
- addLiquidity(tokensToAddLiquidityWith,bnbToAddLiquidityWith) (#542)
Reentrancy in TARP._transfer(address,address,uint256) (#462-491):
External calls:
- swapAndLiquify(swapTokensAtAmount) (#487)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#576-582)
External calls sending eth:
- swapAndLiquify(swapTokensAtAmount) (#487)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- address(devAddress).transfer(devAmt) (#547)
Event emitted after the call(s):
- Transfer(sender,deadAddress,s.tBurn) (#518)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- Transfer(sender,recipient,s.tTransferAmount) (#521)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- Transfer(sender,address(this),s.tLiquidity + s.tDev) (#522)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
Reentrancy in TARP.transferFrom(address,address,uint256) (#277-285):
External calls:
- _transfer(sender,recipient,amount) (#278)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#576-582)
External calls sending eth:
- _transfer(sender,recipient,amount) (#278)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- address(devAddress).transfer(devAmt) (#547)
Event emitted after the call(s):
- Approval(owner,spender,amount) (#458)
- _approve(sender,_msgSender(),currentAllowance - amount) (#282)
Apply the check-effects-interactions pattern.
Additional information: link
TARP.includeInReward(address) (#330-341) has costly operations inside a loop:
- _excluded.pop() (#337)
Use a local variable to hold the loop computation result.
Additional information: link
TARP.swapAndLiquify(uint256) (#526-550) performs a multiplication on the result of a division:
-unitBalance = deltaBalance / (denominator - taxes.liquidity) (#537)
-devAmt = unitBalance * 2 * taxes.dev (#545)
TARP.swapAndLiquify(uint256) (#526-550) performs a multiplication on the result of a division:
-unitBalance = deltaBalance / (denominator - taxes.liquidity) (#537)
-bnbToAddLiquidityWith = unitBalance * taxes.liquidity (#538)
Consider ordering multiplication before division.
Additional information: link
TARP.addLiquidity(uint256,uint256) (#552-565) ignores return value by router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
Ensure that all the return values of the function calls are used.
Additional information: link
TARP.allowance(address,address).owner (#268) shadows:
- Ownable.owner() (#97-99) (function)
TARP._approve(address,address,uint256).owner (#454) shadows:
- Ownable.owner() (#97-99) (function)
Rename the local variables that shadow another component.
Additional information: link
TARP.updateSwapTokensAtAmount(uint256) (#595-597) should emit an event for:
- swapTokensAtAmount = amount * 10 ** _decimals (#596)
TARP.updateCoolDownSettings(bool,uint256) (#603-606) should emit an event for:
- coolDownTime = _timeInSeconds * 1 (#605)
TARP.updatMaxTxAmt(uint256) (#591-593) should emit an event for:
- maxTxAmount = amount * 10 ** _decimals (#592)
Emit an event for critical parameter changes.
Additional information: link
TARP.constructor(address)._pair (#226-227) lacks a zero-check on :
- pair = _pair (#230)
TARP.updateRouterAndPair(address,address).newPair (#619) lacks a zero-check on :
- pair = newPair (#621)
Check that the address is not zero.
Additional information: link
Reentrancy in TARP.swapAndLiquify(uint256) (#526-550):
External calls:
- swapTokensForBNB(toSwap) (#534)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#576-582)
- addLiquidity(tokensToAddLiquidityWith,bnbToAddLiquidityWith) (#542)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
External calls sending eth:
- addLiquidity(tokensToAddLiquidityWith,bnbToAddLiquidityWith) (#542)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
State variables written after the call(s):
- addLiquidity(tokensToAddLiquidityWith,bnbToAddLiquidityWith) (#542)
- _allowances[owner][spender] = amount (#457)
Reentrancy in TARP._transfer(address,address,uint256) (#462-491):
External calls:
- swapAndLiquify(swapTokensAtAmount) (#487)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#576-582)
External calls sending eth:
- swapAndLiquify(swapTokensAtAmount) (#487)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- address(devAddress).transfer(devAmt) (#547)
State variables written after the call(s):
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- totFeesPaid.liquidity += tLiquidity (#372)
- totFeesPaid.burn += tBurn (#392)
- totFeesPaid.dev += tDev (#382)
- totFeesPaid.rfi += tRfi (#368)
Reentrancy in TARP.transferFrom(address,address,uint256) (#277-285):
External calls:
- _transfer(sender,recipient,amount) (#278)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- router.swapExactTokensForETHSupportingFeeOnTransferTokens(tokenAmount,0,path,address(this),block.timestamp) (#576-582)
External calls sending eth:
- _transfer(sender,recipient,amount) (#278)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- address(devAddress).transfer(devAmt) (#547)
State variables written after the call(s):
- _approve(sender,_msgSender(),currentAllowance - amount) (#282)
- _allowances[owner][spender] = amount (#457)
Apply the check-effects-interactions pattern.
Additional information: link
TARP._transfer(address,address,uint256) (#462-491) uses timestamp for comparisons
Dangerous comparisons:
- require(bool,string)(timePassed > coolDownTime,You must wait coolDownTime) (#475)
- require(bool,string)(timePassed2 > coolDownTime,You must wait coolDownTime) (#480)
Avoid relying on block.timestamp.
Additional information: link
Constant TARP._symbol (#182) is not in UPPER_CASE_WITH_UNDERSCORES
Parameter TARP.setTaxes(uint256,uint256,uint256,uint256)._burn (#357) is not in mixedCase
Parameter TARP.setTaxes(uint256,uint256,uint256,uint256)._dev (#357) is not in mixedCase
Parameter TARP.rescueAnyBEP20Tokens(address,address,uint256)._amount (#637) is not in mixedCase
Parameter TARP.setTaxes(uint256,uint256,uint256,uint256)._rfi (#357) is not in mixedCase
Struct TARP.valuesFromGetValues (#201-213) is not in CapWords
Parameter TARP.updateCoolDownSettings(bool,uint256)._enabled (#603) is not in mixedCase
Parameter TARP.rescueAnyBEP20Tokens(address,address,uint256)._tokenAddr (#637) is not in mixedCase
Function IRouter.WETH() (#128) is not in mixedCase
Variable TARP._lastTrade (#174) is not in mixedCase
Constant TARP.deadAddress (#178) is not in UPPER_CASE_WITH_UNDERSCORES
Constant TARP._decimals (#163) is not in UPPER_CASE_WITH_UNDERSCORES
Parameter TARP.updateSwapEnabled(bool)._enabled (#599) is not in mixedCase
Constant TARP._name (#181) is not in UPPER_CASE_WITH_UNDERSCORES
Parameter TARP.updateCoolDownSettings(bool,uint256)._timeInSeconds (#603) is not in mixedCase
Parameter TARP.rescueAnyBEP20Tokens(address,address,uint256)._to (#637) is not in mixedCase
Parameter TARP.setTaxes(uint256,uint256,uint256,uint256)._liquidity (#357) is not in mixedCase
Follow the Solidity naming convention.
Additional information: link
Reentrancy in TARP._transfer(address,address,uint256) (#462-491):
External calls:
- swapAndLiquify(swapTokensAtAmount) (#487)
- address(devAddress).transfer(devAmt) (#547)
External calls sending eth:
- swapAndLiquify(swapTokensAtAmount) (#487)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- address(devAddress).transfer(devAmt) (#547)
State variables written after the call(s):
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- _rOwned[address(this)] += rDev (#388)
- _rOwned[address(this)] += rLiquidity (#378)
- _rOwned[deadAddress] += rBurn (#398)
- _rOwned[sender] = _rOwned[sender] - s.rAmount (#506)
- _rOwned[recipient] = _rOwned[recipient] + s.rTransferAmount (#507)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- _rTotal -= rRfi (#367)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- _tOwned[address(this)] += tLiquidity (#376)
- _tOwned[sender] = _tOwned[sender] - tAmount (#500)
- _tOwned[deadAddress] += tBurn (#396)
- _tOwned[address(this)] += tDev (#386)
- _tOwned[recipient] = _tOwned[recipient] + s.tTransferAmount (#503)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- totFeesPaid.liquidity += tLiquidity (#372)
- totFeesPaid.burn += tBurn (#392)
- totFeesPaid.dev += tDev (#382)
- totFeesPaid.rfi += tRfi (#368)
Event emitted after the call(s):
- Transfer(sender,deadAddress,s.tBurn) (#518)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- Transfer(sender,recipient,s.tTransferAmount) (#521)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
- Transfer(sender,address(this),s.tLiquidity + s.tDev) (#522)
- _tokenTransfer(from,to,amount,! (_isExcludedFromFee[from] || _isExcludedFromFee[to])) (#490)
Reentrancy in TARP.transferFrom(address,address,uint256) (#277-285):
External calls:
- _transfer(sender,recipient,amount) (#278)
- address(devAddress).transfer(devAmt) (#547)
External calls sending eth:
- _transfer(sender,recipient,amount) (#278)
- router.addLiquidityETH{value: bnbAmount}(address(this),tokenAmount,0,0,owner(),block.timestamp) (#557-564)
- address(devAddress).transfer(devAmt) (#547)
State variables written after the call(s):
- _approve(sender,_msgSender(),currentAllowance - amount) (#282)
- _allowances[owner][spender] = amount (#457)
Event emitted after the call(s):
- Approval(owner,spender,amount) (#458)
- _approve(sender,_msgSender(),currentAllowance - amount) (#282)
Apply the check-effects-interactions pattern.
Additional information: link
TARP._tTotal (#166) should be constant
Add the constant attributes to state variables that never change.
Additional information: link
increaseAllowance(address,uint256) should be declared external:
- TARP.increaseAllowance(address,uint256) (#287-290)
name() should be declared external:
- TARP.name() (#244-246)
approve(address,uint256) should be declared external:
- TARP.approve(address,uint256) (#272-275)
renounceOwnership() should be declared external:
- Ownable.renounceOwnership() (#106-108)
totalSupply() should be declared external:
- TARP.totalSupply() (#254-256)
rescueAnyBEP20Tokens(address,address,uint256) should be declared external:
- TARP.rescueAnyBEP20Tokens(address,address,uint256) (#637-639)
includeInFee(address) should be declared external:
- TARP.includeInFee(address) (#348-350)
symbol() should be declared external:
- TARP.symbol() (#247-249)
decreaseAllowance(address,uint256) should be declared external:
- TARP.decreaseAllowance(address,uint256) (#292-298)
transferOwnership(address) should be declared external:
- Ownable.transferOwnership(address) (#110-113)
reflectionFromToken(uint256,bool) should be declared external:
- TARP.reflectionFromToken(uint256,bool) (#304-313)
decimals() should be declared external:
- TARP.decimals() (#250-252)
excludeFromFee(address) should be declared external:
- TARP.excludeFromFee(address) (#344-346)
setTaxes(uint256,uint256,uint256,uint256) should be declared external:
- TARP.setTaxes(uint256,uint256,uint256,uint256) (#357-363)
isExcludedFromReward(address) should be declared external:
- TARP.isExcludedFromReward(address) (#300-302)
isExcludedFromFee(address) should be declared external:
- TARP.isExcludedFromFee(address) (#353-355)
transfer(address,uint256) should be declared external:
- TARP.transfer(address,uint256) (#263-266)
allowance(address,address) should be declared external:
- TARP.allowance(address,address) (#268-270)
isBot(address) should be declared external:
- TARP.isBot(address) (#624-626)
transferFrom(address,address,uint256) should be declared external:
- TARP.transferFrom(address,address,uint256) (#277-285)
Use the external attribute for functions never called from the contract.
Additional information: link
Young tokens have high risks of price dump / death
Young tokens have high risks of price dump / death
Token has relatively low CoinGecko rank