# Ulti Audit
## Info
- Auditor: Mohamed Boukri.
- Commit hash:
git repository (commit hash)
## Disclaimers
## Issues
## BscUltiCoin.sol
### Owner can blacklist any address [HIGH]
**Description**
The owner can blacklist any user using setBotsBlacklisting() function, and thus any user can get his token freezed at any time, this represents a centralization risk.
**File(s)**
* `contracts/bsc/BscUltiCoin.sol` (L248)
**Recommendation**
We recommend adding an algorithm that detects only bots addresses.
### The Tax variables are controlled by the owner [HIGH]
**Description**
The owner has full control over the feePercent burnPercent liquidityPercent using setTax() function . This means that the owner may not change it in accordance with what was agreed on with the community.
**File(s)**
* `contracts/bsc/BscUltiCoin.sol` (L189)
**Recommendation**
We recommend handling the owner account with extreme care. We also suggest considering the following alternatives:
-Multisign with community-voted independent third-party co-signers.
-DAO or Governance model enhancing transparency and community participation.
### Address verification [MEDIUM]
**Description**
setBotsBlacklisting() setRewardExclusion setFeeExclusion setAccountLimitExclusion setTransferLimitExclusion function should exclude,owner,contract,swapPair and swapRouter adresses.
**File(s)**
* `contracts/bsc/BscUltiCoin.sol` (L199)
**Recommendation**
We recommend adding a require statement that exclude the addresses mentionned in description.
### Owner Can Renounce Ownership [LOW]
**Description**
Typically, the account that deploys the contract is also its owner. Consequently, the owner is able to engage in certain privileged activities in his own name. In smart contracts, the renounceOwnership function is used to renounce ownership, which means that if the contract's ownership has never been transferred, it will never have an Owner, rendering some owner-exclusive functionality unavailable.
**File(s)**
* `contracts/bsc/BscUltiCoin.sol` (L21)
**Recommendation**
We recommend that you prevent the owner from calling renounceOwnership without first transferring ownership to a different address. Additionally, if you decide to use a multi-signature wallet, then the execution of the renounceOwnership will require for at least two or more users to be confirmed. Alternatively, you can disable Renounce Ownership functionality by overriding it.
### Missing address verification [LOW]
**Description**
The address-type argument owner,router in constructor() // owner,spender allowance() // account in balanceOf() // should include a zero-address test, otherwise, the contract's functionality may become inaccessible.
**File(s)**
* `contracts/bsc/BscUltiCoin.sol` (L65,L95,L99,L117,L233,L243,L254)
**Recommendation**
We recommend that you make sure the addresses provided in the arguments are different from the address(0).
### For Loop Over Dynamic Array [LOW]
**Description**
When smart contracts are deployed or their associated functions are invoked, the execution of these operations always consumes a certain quantity of gas, according to the amount of computation required to accomplish them. Modifying an unknown-size array that grows in size over time can result in a Denial of Service attack.
Simply by having an excessively huge array, users can exceed the gas limit, therefore preventing the transaction from ever succeeding.
**File(s)**
* `contracts/bsc/BscUltiCoin.sol` (L249,L592)
**Recommendation**
Avoid actions that involve looping across the entire data structure. If you really must loop over an array of unknown size, arrange for it to consume many blocs and thus multiple transactions.
### Floating Pragma [LOW]
**Description**
The contract makes use of the floating-point pragma 0.8.6. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system.
**File(s)**
* `contracts/bsc/BscUltiCoin.sol` (L3)
**Recommendation**
Consider locking the pragma version. It is advised that floating pragma not be used in production.Both truffle-config.js and hardhat.config.js support locking the pragma version.
## TokensLiquify.sol
### Owner Can Renounce Ownership [LOW]
**Description**
Typically, the account that deploys the contract is also its owner. Consequently, the owner is able to engage in certain privileged activities in his own name. In smart contracts, the renounceOwnership function is used to renounce ownership, which means that if the contract's ownership has never been transferred, it will never have an Owner, rendering some owner-exclusive functionality unavailable.
**File(s)**
* `contracts/bsc/extensions/TokensLiquify.sol` (L9)
**Recommendation**
We recommend that you prevent the owner from calling renounceOwnership without first transferring ownership to a different address. Additionally, if you decide to use a multi-signature wallet, then the execution of the renounceOwnership will require for at least two or more users to be confirmed. Alternatively, you can disable Renounce Ownership functionality by overriding it.
### Avoid using .transfer() to transfer BNB [LOW]
**Description**
Although transfer() and send() are recommended as a security best-practice to prevent reentrancy attacks because they only forward 2300 gas, the gas repricing of opcodes may break deployed contracts.
**File(s)**
* `contracts/bsc/extensions/TokensLiquify.sol` (L)
**Recommendation**
Consider using .call{ value: ... }("") instead, without hardcoded gas limits along with checks-effects-interactions pattern or reentrancy guards for reentrancy protection.
### Missing address verification [LOW]
**Description**
The address-type argument should include a zero-address test, otherwise, the contract's functionality may become inaccessible.
**File(s)**
* `contracts/bsc/extensions/TokensLiquify.sol` (L35 43 49)
**Recommendation**
We recommend that you make sure the addresses provided in the arguments are different from the address(0).
### Floating Pragma [LOW]
**Description**
The contract makes use of the floating-point pragma 0.8.6. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system.
**File(s)**
* `contracts/bsc/extensions/TokensLiquify.sol` (L3)
**Recommendation**
Consider locking the pragma version. It is advised that floating pragma not be used in production.Both truffle-config.js and hardhat.config.js support locking the pragma version.
Sign in with Wallet
Connect another wallet