BTCBULLS - HackMD

# BTCBULLS ## Info - Auditor: mohamed moualim - Commit hash: git repository (commit hash) ## Disclaimers ## Issues ## Centralization Risk ## [High] **Description** The owner can use the withdrawtoken() function to withdraw all the contract's balance. So the owner have the controle of contract's balance and can creat probleme if he use this function. **file** * `contracts/TheRanchBTCBullsCommunity.sol` (L679) **Recommendation** We recommend to limit the withdraw balance or withdraw a amount lower than btcBullOwners.WBTC_Balance. ## Reward distribution is controlled by the owner ## [High] **Description** The owner can controle who will get the reward by knowing the adresses of dailyRafflePlayers array. **file** * `contracts/TheRanchBTCBullsCommunity.sol` (L788) **Recommendation** We recommand to generate an aleatoire number to be the index of the array that will generate a winner. ## Avoid using .transfer() to transfer Ether ## [Low] **Description** Although transfer() and send() are recommended as a security best-practice to prevent reentrancy attacks because they only forward 2300 gas, the gas repricing of opcodes may break deployed contracts. **file** * `contracts/TheRanchBTCBullsCommunity.sol` (L676) **Recommendation** Consider using .call{ value: ... }("") instead, without hardcoded gas limits along with checks-effects-interactions pattern or reentrancy guards for reentrancy protection. ## Owner Can Renounce Ownership ## [Low] **Description** the owner is able to engage in certain privileged activities in his own name. In smart contracts, the renounceOwnership function is used to renounce ownership, which means that if the contract’s ownership has never been transferred, it will never have an Owner, rendering some owner-exclusive functionality unavailable. **file** * `contracts/TheRanchBTCBullsCommunity.sol` (L43) **Recommendation** We recommend that you prevent the owner from calling renounceOwnership without first transferring ownership to a different address. Additionally, if you decide to use a multi-signature wallet, then the execution of the renounceOwnership will require for at least two or more users to be confirmed. Alternatively, you can disable Renounce Ownership functionality by overriding it. ## Floating Pragma ## [Low] **Description** The contract makes use of the floating-point pragma 0.8.0. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system **file** * `contracts/TheRanchBTCBullsCommunity.sol` (L2) **Recommendation** Consider locking the pragma version. It is advised that floating pragma not be used in production.Both truffle-config.js and hardhat.config.js support locking the pragma version.