Gamezland - HackMD

# Gamezland ## Info - Auditor: Mohamed Boukri. - Commit hash: git repository (commit hash) ## Disclaimers ## Issues ### burnFrom() is a public function [CRITICAL] **Description** Anyone can call burnFrom function and burn tokens from any address he want. This represents a big risk on the user and the owner side. **File(s)** * `Token.sol` (L82) **Recommendation** We suggest to restrict this function to only the owner. ### Error in function logic [CRITICAL] **Description** The require statement is always false unless if amount=0 , so mint() will never function. **File(s)** * `Token.sol` (L65) **Recommendation** We recommend removing this require statement. If it is meant that the amount should not exceed a max supply, you should add a maxsupply variable and define it in the contructor. ### Centralisation risk [HIGH] **Description** Besides that this fuction is public. If the owner restrict the function to his self he will have super control over the tokens distrubution This represents a centralisation risk. **File(s)** * `Token.sol` (L82) **Recommendation** We suggest removing this function. ### mint should be locked for 2 years [HIGH] **Description** As the white paper states mint() function should be restricted for 2 years. If not this will remove trust between the owner and the users. **File(s)** * `Token.sol` (L82) **Recommendation** We suggest to add a require function that you only can use this function after 2 years of deploying it. ### Usage of tx.origin [MEDIUM] **Description** Never use tx.origin for authorization, another contract can have a method which will call your contract (where the user has some funds for instance) and your contract will authorize that transaction as your address is in tx.origin. **File(s)** * `Token.sol` (L26) **Recommendation** You should use msg.sender for authorization (if another contract calls your contract msg.sender will be the address of the contract and not the address of the user who called the contract). ### Missing address verification [LOW] **Description** The address-type argument _owner should include a zero-address test, otherwise, the contract's functionality may become inaccessible. **File(s)** * `Token.sol` (L20) **Recommendation** We recommend that you make sure the addresses provided in the arguments are different from the address(0). ### Floating Pragma [LOW] **Description** The contract makes use of the floating-point pragma 0.8.2. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system. **File(s)** * `Token.sol` (L5) **Recommendation** Consider locking the pragma version. It is advised that floating pragma not be used in production.Both truffle-config.js and hardhat.config.js support locking the pragma version. ### [Best-Practice] **Description** It is better to