From 5c483fdbf1f454ca42c1fd9b85353b0b9241c43a Mon Sep 17 00:00:00 2001 From: Tilak Madichetti Date: Mon, 2 Sep 2024 19:47:54 +0530 Subject: [PATCH] Fix: Send Ether No Checks (Change satisfaction condition from `msg.sender` to any address) (#703) Co-authored-by: Alex Roan --- .../src/detect/high/send_ether_no_checks.rs | 30 +- reports/report.json | 312 +++++++++- reports/report.md | 343 ++++++++++- reports/report.sarif | 552 +++++++++++++++++- reports/templegold-report.md | 48 +- tests/contract-playground/src/Trump.sol | 351 +++++++++++ 6 files changed, 1552 insertions(+), 84 deletions(-) create mode 100644 tests/contract-playground/src/Trump.sol diff --git a/aderyn_core/src/detect/high/send_ether_no_checks.rs b/aderyn_core/src/detect/high/send_ether_no_checks.rs index 7ebc7044..364097d2 100644 --- a/aderyn_core/src/detect/high/send_ether_no_checks.rs +++ b/aderyn_core/src/detect/high/send_ether_no_checks.rs @@ -24,11 +24,11 @@ pub struct SendEtherNoChecksDetector { impl IssueDetector for SendEtherNoChecksDetector { fn detect(&mut self, context: &WorkspaceContext) -> Result> { for func in helpers::get_implemented_external_and_public_functions(context) { - let mut tracker = MsgSenderAndCallWithValueTracker::default(); + let mut tracker = AddressChecksAndCallWithValueTracker::default(); let callgraph = CallGraph::new(context, &[&(func.into())], CallGraphDirection::Inward)?; callgraph.accept(context, &mut tracker)?; - if tracker.sends_native_eth && !tracker.has_msg_sender_checks { + if tracker.sends_native_eth && !tracker.has_binary_checks_on_some_address { capture!(self, context, func); } } @@ -41,11 +41,11 @@ impl IssueDetector for SendEtherNoChecksDetector { } fn title(&self) -> String { - String::from("Sending native Eth is not protected from these functions.") + String::from("Functions send eth away from contract but performs no checks on any address.") } fn description(&self) -> String { - String::from("Introduce checks for `msg.sender` in the function") + String::from("Consider introducing checks for `msg.sender` to ensure the recipient of the money is as intended.") } fn instances(&self) -> BTreeMap<(String, usize, String), NodeID> { @@ -83,29 +83,21 @@ mod send_ether_no_checks_detector_tests { detector.severity(), crate::detect::detector::IssueSeverity::High ); - // assert the title is correct - assert_eq!( - detector.title(), - String::from("Sending native Eth is not protected from these functions.") - ); - // assert the description is correct - assert_eq!( - detector.description(), - String::from("Introduce checks for `msg.sender` in the function") - ); } } #[derive(Default)] -pub struct MsgSenderAndCallWithValueTracker { - pub has_msg_sender_checks: bool, +pub struct AddressChecksAndCallWithValueTracker { + pub has_binary_checks_on_some_address: bool, pub sends_native_eth: bool, } -impl CallGraphVisitor for MsgSenderAndCallWithValueTracker { +impl CallGraphVisitor for AddressChecksAndCallWithValueTracker { fn visit_any(&mut self, node: &ASTNode) -> eyre::Result<()> { - if !self.has_msg_sender_checks && helpers::has_msg_sender_binary_operation(node) { - self.has_msg_sender_checks = true; + if !self.has_binary_checks_on_some_address + && helpers::has_binary_checks_on_some_address(node) + { + self.has_binary_checks_on_some_address = true; } if !self.sends_native_eth && helpers::has_calls_that_sends_native_eth(node) { self.sends_native_eth = true; diff --git a/reports/report.json b/reports/report.json index dc9fb4f0..059a42cf 100644 --- a/reports/report.json +++ b/reports/report.json @@ -1,7 +1,7 @@ { "files_summary": { - "total_source_units": 107, - "total_sloc": 3509 + "total_source_units": 108, + "total_sloc": 3790 }, "files_details": { "files_details": [ @@ -277,6 +277,10 @@ "file_path": "src/TestERC20.sol", "n_sloc": 62 }, + { + "file_path": "src/Trump.sol", + "n_sloc": 281 + }, { "file_path": "src/TxOriginUsedForAuth.sol", "n_sloc": 43 @@ -484,6 +488,12 @@ "description": "In the PoS model, proposers know well in advance if they will propose one or consecutive blocks ahead of time. In such a scenario, a malicious validator can hold back the transaction and execute it at a more favourable block number.Consider allowing function caller to specify swap deadline input parameter.", "detector_name": "block-timestamp-deadline", "instances": [ + { + "contract_path": "src/Trump.sol", + "line_no": 290, + "src": "9949:190", + "src_char": "9949:190" + }, { "contract_path": "src/uniswap/UniswapV2Swapper.sol", "line_no": 23, @@ -1753,8 +1763,8 @@ ] }, { - "title": "Sending native Eth is not protected from these functions.", - "description": "Introduce checks for `msg.sender` in the function", + "title": "Functions send eth away from contract but performs no checks on any address.", + "description": "Consider introducing checks for `msg.sender` to ensure the recipient of the money is as intended.", "detector_name": "send-ether-no-checks", "instances": [ { @@ -1829,6 +1839,12 @@ "src": "1795:5", "src_char": "1795:5" }, + { + "contract_path": "src/Trump.sol", + "line_no": 321, + "src": "10940:10", + "src_char": "10940:10" + }, { "contract_path": "src/UncheckedCalls.sol", "line_no": 6, @@ -2001,6 +2017,12 @@ "src": "4146:20", "src_char": "4146:20" }, + { + "contract_path": "src/Trump.sol", + "line_no": 344, + "src": "11990:71", + "src_char": "11990:71" + }, { "contract_path": "src/UncheckedReturn.sol", "line_no": 14, @@ -2582,6 +2604,30 @@ "src": "250:9", "src_char": "250:9" }, + { + "contract_path": "src/Trump.sol", + "line_no": 92, + "src": "2714:9", + "src_char": "2714:9" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 123, + "src": "3592:7", + "src_char": "3592:7" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 299, + "src": "10185:9", + "src_char": "10185:9" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 338, + "src": "11494:11", + "src_char": "11494:11" + }, { "contract_path": "src/auditor_mode/PublicFunctionsWithoutSenderCheck.sol", "line_no": 9, @@ -2754,6 +2800,36 @@ "src": "368:19", "src_char": "368:19" }, + { + "contract_path": "src/Trump.sol", + "line_no": 309, + "src": "10512:19", + "src_char": "10512:19" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 310, + "src": "10557:20", + "src_char": "10557:20" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 318, + "src": "10869:29", + "src_char": "10869:29" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 324, + "src": "11111:28", + "src_char": "11111:28" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 344, + "src": "11990:29", + "src_char": "11990:29" + }, { "contract_path": "src/UninitializedStateVariable.sol", "line_no": 18, @@ -3273,6 +3349,60 @@ "src": "2539:25", "src_char": "2539:25" }, + { + "contract_path": "src/Trump.sol", + "line_no": 92, + "src": "2679:17", + "src_char": "2679:17" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 180, + "src": "5624:4", + "src_char": "5624:4" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 184, + "src": "5711:6", + "src_char": "5711:6" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 188, + "src": "5802:8", + "src_char": "5802:8" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 192, + "src": "5889:11", + "src_char": "5889:11" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 200, + "src": "6111:8", + "src_char": "6111:8" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 205, + "src": "6281:9", + "src_char": "6281:9" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 209, + "src": "6428:7", + "src_char": "6428:7" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 214, + "src": "6592:12", + "src_char": "6592:12" + }, { "contract_path": "src/UninitializedLocalVariables.sol", "line_no": 7, @@ -3748,6 +3878,30 @@ "src": "9671:3", "src_char": "9671:3" }, + { + "contract_path": "src/Trump.sol", + "line_no": 233, + "src": "7704:3", + "src_char": "7704:3" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 250, + "src": "8497:3", + "src_char": "8497:3" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 306, + "src": "10426:3", + "src_char": "10426:3" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 307, + "src": "10498:3", + "src_char": "10498:3" + }, { "contract_path": "src/UncheckedReturn.sol", "line_no": 27, @@ -3917,6 +4071,36 @@ "src": "413:70", "src_char": "413:70" }, + { + "contract_path": "src/Trump.sol", + "line_no": 31, + "src": "891:72", + "src_char": "891:72" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 32, + "src": "968:78", + "src_char": "968:78" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 159, + "src": "4970:44", + "src_char": "4970:44" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 160, + "src": "5019:33", + "src_char": "5019:33" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 161, + "src": "5057:62", + "src_char": "5057:62" + }, { "contract_path": "src/UncheckedReturn.sol", "line_no": 17, @@ -4044,6 +4228,12 @@ "src": "135:7", "src_char": "135:7" }, + { + "contract_path": "src/Trump.sol", + "line_no": 240, + "src": "8065:7", + "src_char": "8065:7" + }, { "contract_path": "src/ZeroAddressCheck.sol", "line_no": 13, @@ -4269,6 +4459,12 @@ "src": "32:23", "src_char": "32:23" }, + { + "contract_path": "src/Trump.sol", + "line_no": 16, + "src": "227:23", + "src_char": "227:23" + }, { "contract_path": "src/TxOriginUsedForAuth.sol", "line_no": 2, @@ -4450,6 +4646,12 @@ "src": "107:74", "src_char": "107:74" }, + { + "contract_path": "src/Trump.sol", + "line_no": 162, + "src": "5133:11", + "src_char": "5133:11" + }, { "contract_path": "src/UnprotectedInitialize.sol", "line_no": 13, @@ -4817,6 +5019,24 @@ "line_no": 51, "src": "1550:7", "src_char": "1550:7" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 145, + "src": "4412:8", + "src_char": "4412:8" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 148, + "src": "4579:6", + "src_char": "4579:6" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 151, + "src": "4756:6", + "src_char": "4756:6" } ] }, @@ -4915,6 +5135,18 @@ "src": "388:11", "src_char": "388:11" }, + { + "contract_path": "src/Trump.sol", + "line_no": 46, + "src": "1403:3", + "src_char": "1403:3" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 65, + "src": "1976:3", + "src_char": "1976:3" + }, { "contract_path": "src/UncheckedSend.sol", "line_no": 27, @@ -5013,6 +5245,12 @@ "src": "133:6", "src_char": "133:6" }, + { + "contract_path": "src/Trump.sol", + "line_no": 159, + "src": "5000:12", + "src_char": "5000:12" + }, { "contract_path": "src/UninitializedLocalVariables.sol", "line_no": 9, @@ -6136,6 +6374,72 @@ "src": "2068:13", "src_char": "2068:13" }, + { + "contract_path": "src/Trump.sol", + "line_no": 130, + "src": "3920:20", + "src_char": "3920:20" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 131, + "src": "3967:21", + "src_char": "3967:21" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 135, + "src": "4041:14", + "src_char": "4041:14" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 136, + "src": "4080:15", + "src_char": "4080:15" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 137, + "src": "4120:12", + "src_char": "4120:12" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 138, + "src": "4156:13", + "src_char": "4156:13" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 139, + "src": "4193:15", + "src_char": "4193:15" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 140, + "src": "4233:16", + "src_char": "4233:16" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 141, + "src": "4274:18", + "src_char": "4274:18" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 150, + "src": "4682:17", + "src_char": "4682:17" + }, + { + "contract_path": "src/Trump.sol", + "line_no": 151, + "src": "4743:11", + "src_char": "4743:11" + }, { "contract_path": "src/UninitializedStateVariable.sol", "line_no": 8, diff --git a/reports/report.md b/reports/report.md index 7ecfc172..981cd277 100644 --- a/reports/report.md +++ b/reports/report.md @@ -29,7 +29,7 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati - [H-19: Shadowed State Variables in Inheritance Hierarchy](#h-19-shadowed-state-variables-in-inheritance-hierarchy) - [H-20: Unchecked `bool success` value for send call.](#h-20-unchecked-bool-success-value-for-send-call) - [H-21: Misused boolean with logical operators](#h-21-misused-boolean-with-logical-operators) - - [H-22: Sending native Eth is not protected from these functions.](#h-22-sending-native-eth-is-not-protected-from-these-functions) + - [H-22: Functions send eth away from contract but performs no checks on any address.](#h-22-functions-send-eth-away-from-contract-but-performs-no-checks-on-any-address) - [H-23: Delegatecall made by the function without checks on any adress.](#h-23-delegatecall-made-by-the-function-without-checks-on-any-adress) - [H-24: Tautological comparison.](#h-24-tautological-comparison) - [H-25: RTLO character detected in file. \u{202e}](#h-25-rtlo-character-detected-in-file-u202e) @@ -101,8 +101,8 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati | Key | Value | | --- | --- | -| .sol Files | 107 | -| Total nSLOC | 3509 | +| .sol Files | 108 | +| Total nSLOC | 3790 | ## Files Details @@ -177,6 +177,7 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati | src/TautologicalCompare.sol | 17 | | src/TautologyOrContradiction.sol | 11 | | src/TestERC20.sol | 62 | +| src/Trump.sol | 281 | | src/TxOriginUsedForAuth.sol | 43 | | src/U2.sol | 3 | | src/U3.sol | 2 | @@ -216,7 +217,7 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati | src/reused_contract_name/ContractB.sol | 7 | | src/uniswap/UniswapV2Swapper.sol | 50 | | src/uniswap/UniswapV3Swapper.sol | 150 | -| **Total** | **3509** | +| **Total** | **3790** | ## Issue Summary @@ -280,9 +281,15 @@ If all arguments are strings and or bytes, `bytes.concat()` should be used inste In the PoS model, proposers know well in advance if they will propose one or consecutive blocks ahead of time. In such a scenario, a malicious validator can hold back the transaction and execute it at a more favourable block number.Consider allowing function caller to specify swap deadline input parameter. -
16 Found Instances +
17 Found Instances +- Found in src/Trump.sol [Line: 290](../tests/contract-playground/src/Trump.sol#L290) + + ```solidity + uniswapV2Router.swapExactTokensForETHSupportingFeeOnTransferTokens( + ``` + - Found in src/uniswap/UniswapV2Swapper.sol [Line: 23](../tests/contract-playground/src/uniswap/UniswapV2Swapper.sol#L23) ```solidity @@ -1626,11 +1633,11 @@ The patterns `if (… || true)` and `if (.. && false)` will always evaluate to t -## H-22: Sending native Eth is not protected from these functions. +## H-22: Functions send eth away from contract but performs no checks on any address. -Introduce checks for `msg.sender` in the function +Consider introducing checks for `msg.sender` to ensure the recipient of the money is as intended. -
19 Found Instances +
20 Found Instances - Found in src/CallGraphTests.sol [Line: 38](../tests/contract-playground/src/CallGraphTests.sol#L38) @@ -1705,6 +1712,12 @@ Introduce checks for `msg.sender` in the function function func1(address x) external mod1(x) { ``` +- Found in src/Trump.sol [Line: 321](../tests/contract-playground/src/Trump.sol#L321) + + ```solidity + function manualSend() external { + ``` + - Found in src/UncheckedCalls.sol [Line: 6](../tests/contract-playground/src/UncheckedCalls.sol#L6) ```solidity @@ -1848,7 +1861,7 @@ Right to left override character may be misledaing and cause potential attacks b Function returns a value but it is ignored. -
9 Found Instances +
10 Found Instances - Found in src/OutOfOrderRetryable.sol [Line: 65](../tests/contract-playground/src/OutOfOrderRetryable.sol#L65) @@ -1893,6 +1906,12 @@ Function returns a value but it is ignored. manipulateHelper(p1); ``` +- Found in src/Trump.sol [Line: 344](../tests/contract-playground/src/Trump.sol#L344) + + ```solidity + IERC20(uniswapV2Pair).approve(address(uniswapV2Router), type(uint).max); + ``` + - Found in src/UncheckedReturn.sol [Line: 14](../tests/contract-playground/src/UncheckedReturn.sol#L14) ```solidity @@ -2503,7 +2522,7 @@ The return value of the low-level call is not checked, so if the call fails, the Contracts have owners with privileged rights to perform admin tasks and need to be trusted to not perform malicious updates or drain funds. -
13 Found Instances +
17 Found Instances - Found in src/AdminContract.sol [Line: 7](../tests/contract-playground/src/AdminContract.sol#L7) @@ -2542,6 +2561,30 @@ Contracts have owners with privileged rights to perform admin tasks and need to function setValue(uint256 _newValue) external onlyOwner { ``` +- Found in src/Trump.sol [Line: 92](../tests/contract-playground/src/Trump.sol#L92) + + ```solidity + function renounceOwnership() public virtual onlyOwner { + ``` + +- Found in src/Trump.sol [Line: 123](../tests/contract-playground/src/Trump.sol#L123) + + ```solidity + contract MAGA is Context, IERC20, Ownable { + ``` + +- Found in src/Trump.sol [Line: 299](../tests/contract-playground/src/Trump.sol#L299) + + ```solidity + function removeLimits() external onlyOwner{ + ``` + +- Found in src/Trump.sol [Line: 338](../tests/contract-playground/src/Trump.sol#L338) + + ```solidity + function openTrading() external onlyOwner() { + ``` + - Found in src/auditor_mode/PublicFunctionsWithoutSenderCheck.sol [Line: 9](../tests/contract-playground/src/auditor_mode/PublicFunctionsWithoutSenderCheck.sol#L9) ```solidity @@ -2652,7 +2695,7 @@ Openzeppelin has deprecated several functions and replaced with newer versions. ERC20 functions may not behave as expected. For example: return values are not always meaningful. It is recommended to use OpenZeppelin's SafeERC20 library. -
14 Found Instances +
19 Found Instances - Found in src/ArbitraryTransferFrom.sol [Line: 16](../tests/contract-playground/src/ArbitraryTransferFrom.sol#L16) @@ -2733,6 +2776,36 @@ ERC20 functions may not behave as expected. For example: return values are not a msg.sender.transfer(address(this).balance); ``` +- Found in src/Trump.sol [Line: 309](../tests/contract-playground/src/Trump.sol#L309) + + ```solidity + _taxWallet.transfer(taxWalletShare); + ``` + +- Found in src/Trump.sol [Line: 310](../tests/contract-playground/src/Trump.sol#L310) + + ```solidity + _teamWallet.transfer(teamWalletShare); + ``` + +- Found in src/Trump.sol [Line: 318](../tests/contract-playground/src/Trump.sol#L318) + + ```solidity + return IERC20(tokenAddress).transfer(_taxWallet, tokens); + ``` + +- Found in src/Trump.sol [Line: 324](../tests/contract-playground/src/Trump.sol#L324) + + ```solidity + payable(_taxWallet).transfer(balance); + ``` + +- Found in src/Trump.sol [Line: 344](../tests/contract-playground/src/Trump.sol#L344) + + ```solidity + IERC20(uniswapV2Pair).approve(address(uniswapV2Router), type(uint).max); + ``` + - Found in src/UninitializedStateVariable.sol [Line: 18](../tests/contract-playground/src/UninitializedStateVariable.sol#L18) ```solidity @@ -3039,7 +3112,7 @@ Check for `address(0)` when assigning values to address state variables. Instead of marking a function as `public`, consider marking it as `external` if it is not used internally. -
54 Found Instances +
63 Found Instances - Found in src/AderynIgnoreCustomDetectors.sol [Line: 7](../tests/contract-playground/src/AderynIgnoreCustomDetectors.sol#L7) @@ -3264,6 +3337,60 @@ Instead of marking a function as `public`, consider marking it as `external` if function setNonEmptyAlteredNumbers( ``` +- Found in src/Trump.sol [Line: 92](../tests/contract-playground/src/Trump.sol#L92) + + ```solidity + function renounceOwnership() public virtual onlyOwner { + ``` + +- Found in src/Trump.sol [Line: 180](../tests/contract-playground/src/Trump.sol#L180) + + ```solidity + function name() public pure returns (string memory) { + ``` + +- Found in src/Trump.sol [Line: 184](../tests/contract-playground/src/Trump.sol#L184) + + ```solidity + function symbol() public pure returns (string memory) { + ``` + +- Found in src/Trump.sol [Line: 188](../tests/contract-playground/src/Trump.sol#L188) + + ```solidity + function decimals() public pure returns (uint8) { + ``` + +- Found in src/Trump.sol [Line: 192](../tests/contract-playground/src/Trump.sol#L192) + + ```solidity + function totalSupply() public pure override returns (uint256) { + ``` + +- Found in src/Trump.sol [Line: 200](../tests/contract-playground/src/Trump.sol#L200) + + ```solidity + function transfer(address recipient, uint256 amount) public override returns (bool) { + ``` + +- Found in src/Trump.sol [Line: 205](../tests/contract-playground/src/Trump.sol#L205) + + ```solidity + function allowance(address owner, address spender) public view override returns (uint256) { + ``` + +- Found in src/Trump.sol [Line: 209](../tests/contract-playground/src/Trump.sol#L209) + + ```solidity + function approve(address spender, uint256 amount) public override returns (bool) { + ``` + +- Found in src/Trump.sol [Line: 214](../tests/contract-playground/src/Trump.sol#L214) + + ```solidity + function transferFrom(address sender, address recipient, uint256 amount) public override returns (bool) { + ``` + - Found in src/UninitializedLocalVariables.sol [Line: 7](../tests/contract-playground/src/UninitializedLocalVariables.sol#L7) ```solidity @@ -3374,7 +3501,7 @@ Instead of marking a function as `public`, consider marking it as `external` if If the same constant literal value is used multiple times, create a constant state variable and reference it throughout the contract. -
74 Found Instances +
78 Found Instances - Found in src/AssertStateChange.sol [Line: 9](../tests/contract-playground/src/AssertStateChange.sol#L9) @@ -3725,6 +3852,30 @@ If the same constant literal value is used multiple times, create a constant sta that.push(102); ``` +- Found in src/Trump.sol [Line: 233](../tests/contract-playground/src/Trump.sol#L233) + + ```solidity + taxAmount = amount.mul((_buyCount>_reduceBuyTaxAt)?_finalBuyTax:_initialBuyTax).div(100); + ``` + +- Found in src/Trump.sol [Line: 250](../tests/contract-playground/src/Trump.sol#L250) + + ```solidity + taxAmount = amount.mul((_buyCount>_reduceSellTaxAt)?_finalSellTax:_initialSellTax).div(100); + ``` + +- Found in src/Trump.sol [Line: 306](../tests/contract-playground/src/Trump.sol#L306) + + ```solidity + uint256 taxWalletShare = amount * _taxWalletPercentage / 100; + ``` + +- Found in src/Trump.sol [Line: 307](../tests/contract-playground/src/Trump.sol#L307) + + ```solidity + uint256 teamWalletShare = amount * _teamWalletPercentage / 100; + ``` + - Found in src/UncheckedReturn.sol [Line: 27](../tests/contract-playground/src/UncheckedReturn.sol#L27) ```solidity @@ -3805,7 +3956,7 @@ If the same constant literal value is used multiple times, create a constant sta Index event fields make the field more quickly accessible to off-chain tools that parse events. However, note that each index field costs extra gas during emission, so it's not necessarily best to index the maximum allowed per event (three fields). Each event should use three indexed fields if there are three or more fields, and gas usage is not particularly of concern for the events in question. If there are fewer than three fields, all of the fields should be indexed. -
19 Found Instances +
24 Found Instances - Found in src/ContractLocksEther.sol [Line: 7](../tests/contract-playground/src/ContractLocksEther.sol#L7) @@ -3892,6 +4043,36 @@ Index event fields make the field more quickly accessible to off-chain tools tha event Transfer(address indexed src, address indexed dst, uint256 wad); ``` +- Found in src/Trump.sol [Line: 31](../tests/contract-playground/src/Trump.sol#L31) + + ```solidity + event Transfer(address indexed from, address indexed to, uint256 value); + ``` + +- Found in src/Trump.sol [Line: 32](../tests/contract-playground/src/Trump.sol#L32) + + ```solidity + event Approval(address indexed owner, address indexed spender, uint256 value); + ``` + +- Found in src/Trump.sol [Line: 159](../tests/contract-playground/src/Trump.sol#L159) + + ```solidity + event MaxTxAmountUpdated(uint _maxTxAmount); + ``` + +- Found in src/Trump.sol [Line: 160](../tests/contract-playground/src/Trump.sol#L160) + + ```solidity + event ClearStuck(uint256 amount); + ``` + +- Found in src/Trump.sol [Line: 161](../tests/contract-playground/src/Trump.sol#L161) + + ```solidity + event ClearToken(address TokenAddressCleared, uint256 Amount); + ``` + - Found in src/UncheckedReturn.sol [Line: 17](../tests/contract-playground/src/UncheckedReturn.sol#L17) ```solidity @@ -3930,7 +4111,7 @@ Index event fields make the field more quickly accessible to off-chain tools tha Use descriptive reason strings or custom errors for revert paths. -
22 Found Instances +
23 Found Instances - Found in src/CallGraphTests.sol [Line: 7](../tests/contract-playground/src/CallGraphTests.sol#L7) @@ -4023,6 +4204,12 @@ Use descriptive reason strings or custom errors for revert paths. require(owner == msg.sender); ``` +- Found in src/Trump.sol [Line: 240](../tests/contract-playground/src/Trump.sol#L240) + + ```solidity + require(!isContract(to)); + ``` + - Found in src/ZeroAddressCheck.sol [Line: 13](../tests/contract-playground/src/ZeroAddressCheck.sol#L13) ```solidity @@ -4113,7 +4300,7 @@ Using `ERC721::_mint()` can mint ERC721 tokens to addresses which don't support Solc compiler version 0.8.20 switches the default target EVM version to Shanghai, which means that the generated bytecode will include PUSH0 opcodes. Be sure to select the appropriate EVM version in case you intend to deploy on a chain other than mainnet like L2 chains that may not support PUSH0, otherwise deployment of your contracts will fail. -
41 Found Instances +
42 Found Instances - Found in src/AdminContract.sol [Line: 2](../tests/contract-playground/src/AdminContract.sol#L2) @@ -4260,6 +4447,12 @@ Solc compiler version 0.8.20 switches the default target EVM version to Shanghai pragma solidity 0.8.20; ``` +- Found in src/Trump.sol [Line: 16](../tests/contract-playground/src/Trump.sol#L16) + + ```solidity + pragma solidity 0.8.20; + ``` + - Found in src/TxOriginUsedForAuth.sol [Line: 2](../tests/contract-playground/src/TxOriginUsedForAuth.sol#L2) ```solidity @@ -4370,7 +4563,7 @@ Solc compiler version 0.8.20 switches the default target EVM version to Shanghai -
13 Found Instances +
14 Found Instances - Found in src/BuiltinSymbolShadow.sol [Line: 17](../tests/contract-playground/src/BuiltinSymbolShadow.sol#L17) @@ -4445,6 +4638,12 @@ Solc compiler version 0.8.20 switches the default target EVM version to Shanghai modifier isOwner(){ ``` +- Found in src/Trump.sol [Line: 162](../tests/contract-playground/src/Trump.sol#L162) + + ```solidity + modifier lockTheSwap { + ``` + - Found in src/UnprotectedInitialize.sol [Line: 13](../tests/contract-playground/src/UnprotectedInitialize.sol#L13) ```solidity @@ -4674,7 +4873,7 @@ Consider removing empty blocks. Use `e` notation, for example: `1e18`, instead of its full numeric value. -
24 Found Instances +
27 Found Instances - Found in src/HugeConstants.sol [Line: 6](../tests/contract-playground/src/HugeConstants.sol#L6) @@ -4821,6 +5020,24 @@ Use `e` notation, for example: `1e18`, instead of its full numeric value. uint256 private _totalSupply = 1000000 * 10 ** uint(decimals); ``` +- Found in src/Trump.sol [Line: 145](../tests/contract-playground/src/Trump.sol#L145) + + ```solidity + uint256 private constant _tTotal = 47000000 * 10**_decimals; + ``` + +- Found in src/Trump.sol [Line: 148](../tests/contract-playground/src/Trump.sol#L148) + + ```solidity + uint256 public _maxTxAmount = 470000 * 10**_decimals; + ``` + +- Found in src/Trump.sol [Line: 151](../tests/contract-playground/src/Trump.sol#L151) + + ```solidity + uint256 public _maxTaxSwap= 470000 * 10**_decimals; + ``` +
@@ -4829,7 +5046,7 @@ Use `e` notation, for example: `1e18`, instead of its full numeric value. Instead of separating the logic into a separate function, consider inlining the logic into the calling function. This can reduce the number of function calls and improve readability. -
16 Found Instances +
18 Found Instances - Found in src/CallGraphTests.sol [Line: 6](../tests/contract-playground/src/CallGraphTests.sol#L6) @@ -4922,6 +5139,18 @@ Instead of separating the logic into a separate function, consider inlining the function editStorage(uint[1] storage arr) internal { ``` +- Found in src/Trump.sol [Line: 46](../tests/contract-playground/src/Trump.sol#L46) + + ```solidity + function sub(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) { + ``` + +- Found in src/Trump.sol [Line: 65](../tests/contract-playground/src/Trump.sol#L65) + + ```solidity + function div(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) { + ``` + - Found in src/UncheckedSend.sol [Line: 27](../tests/contract-playground/src/UncheckedSend.sol#L27) ```solidity @@ -4959,7 +5188,7 @@ Contract contains comments with TODOS Consider keeping the naming convention consistent in a given contract. Explicit size declarations are preferred (uint256, int256) over implicit ones (uint, int) to avoid confusion. -
27 Found Instances +
28 Found Instances - Found in src/Casting.sol [Line: 31](../tests/contract-playground/src/Casting.sol#L31) @@ -5028,6 +5257,12 @@ Consider keeping the naming convention consistent in a given contract. Explicit uint x; ``` +- Found in src/Trump.sol [Line: 159](../tests/contract-playground/src/Trump.sol#L159) + + ```solidity + event MaxTxAmountUpdated(uint _maxTxAmount); + ``` + - Found in src/UninitializedLocalVariables.sol [Line: 9](../tests/contract-playground/src/UninitializedLocalVariables.sol#L9) ```solidity @@ -6099,7 +6334,7 @@ solc versions below 0.5.9 contain a compiler bug leading to unexpected behavior State variables that are not updated following deployment should be declared constant to save gas. Add the `constant` attribute to state variables that never change. -
34 Found Instances +
45 Found Instances - Found in src/CostlyOperationsInsideLoops.sol [Line: 6](../tests/contract-playground/src/CostlyOperationsInsideLoops.sol#L6) @@ -6240,6 +6475,72 @@ State variables that are not updated following deployment should be declared con uint256[5] public assignToMeNow = [1, 4, 5, 8, 9]; // 1 state var assigned here ``` +- Found in src/Trump.sol [Line: 130](../tests/contract-playground/src/Trump.sol#L130) + + ```solidity + uint256 private _taxWalletPercentage = 50; + ``` + +- Found in src/Trump.sol [Line: 131](../tests/contract-playground/src/Trump.sol#L131) + + ```solidity + uint256 private _teamWalletPercentage = 50; + ``` + +- Found in src/Trump.sol [Line: 135](../tests/contract-playground/src/Trump.sol#L135) + + ```solidity + uint256 private _initialBuyTax=20; + ``` + +- Found in src/Trump.sol [Line: 136](../tests/contract-playground/src/Trump.sol#L136) + + ```solidity + uint256 private _initialSellTax=20; + ``` + +- Found in src/Trump.sol [Line: 137](../tests/contract-playground/src/Trump.sol#L137) + + ```solidity + uint256 private _finalBuyTax=1; + ``` + +- Found in src/Trump.sol [Line: 138](../tests/contract-playground/src/Trump.sol#L138) + + ```solidity + uint256 private _finalSellTax=1; + ``` + +- Found in src/Trump.sol [Line: 139](../tests/contract-playground/src/Trump.sol#L139) + + ```solidity + uint256 private _reduceBuyTaxAt=20; + ``` + +- Found in src/Trump.sol [Line: 140](../tests/contract-playground/src/Trump.sol#L140) + + ```solidity + uint256 private _reduceSellTaxAt=20; + ``` + +- Found in src/Trump.sol [Line: 141](../tests/contract-playground/src/Trump.sol#L141) + + ```solidity + uint256 private _preventSwapBefore=20; + ``` + +- Found in src/Trump.sol [Line: 150](../tests/contract-playground/src/Trump.sol#L150) + + ```solidity + uint256 public _taxSwapThreshold= 47000 * 10**_decimals; + ``` + +- Found in src/Trump.sol [Line: 151](../tests/contract-playground/src/Trump.sol#L151) + + ```solidity + uint256 public _maxTaxSwap= 470000 * 10**_decimals; + ``` + - Found in src/UninitializedStateVariable.sol [Line: 8](../tests/contract-playground/src/UninitializedStateVariable.sol#L8) ```solidity diff --git a/reports/report.sarif b/reports/report.sarif index 257d333f..f8bf7cb1 100644 --- a/reports/report.sarif +++ b/reports/report.sarif @@ -69,6 +69,17 @@ { "level": "warning", "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 190, + "byteOffset": 9949 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -2462,6 +2473,17 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 10, + "byteOffset": 10940 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -2541,7 +2563,7 @@ } ], "message": { - "text": "Introduce checks for `msg.sender` in the function" + "text": "Consider introducing checks for `msg.sender` to ensure the recipient of the money is as intended." }, "ruleId": "send-ether-no-checks" }, @@ -2762,6 +2784,17 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 71, + "byteOffset": 11990 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -3757,6 +3790,50 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 9, + "byteOffset": 2714 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 7, + "byteOffset": 3592 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 9, + "byteOffset": 10185 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 11, + "byteOffset": 11494 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -4057,6 +4134,61 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 19, + "byteOffset": 10512 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 20, + "byteOffset": 10557 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 29, + "byteOffset": 10869 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 28, + "byteOffset": 11111 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 29, + "byteOffset": 11990 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -4997,6 +5129,105 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 17, + "byteOffset": 2679 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 4, + "byteOffset": 5624 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 6, + "byteOffset": 5711 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 8, + "byteOffset": 5802 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 11, + "byteOffset": 5889 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 8, + "byteOffset": 6111 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 9, + "byteOffset": 6281 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 7, + "byteOffset": 6428 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 12, + "byteOffset": 6592 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -5864,6 +6095,50 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 3, + "byteOffset": 7704 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 3, + "byteOffset": 8497 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 3, + "byteOffset": 10426 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 3, + "byteOffset": 10498 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -6170,6 +6445,61 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 72, + "byteOffset": 891 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 78, + "byteOffset": 968 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 44, + "byteOffset": 4970 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 33, + "byteOffset": 5019 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 62, + "byteOffset": 5057 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -6399,6 +6729,17 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 7, + "byteOffset": 8065 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -6800,6 +7141,17 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 23, + "byteOffset": 227 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -7128,6 +7480,17 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 11, + "byteOffset": 5133 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -7794,6 +8157,39 @@ "byteOffset": 1550 } } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 8, + "byteOffset": 4412 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 6, + "byteOffset": 4579 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 6, + "byteOffset": 4756 + } + } } ], "message": { @@ -7969,6 +8365,28 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 3, + "byteOffset": 1403 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 3, + "byteOffset": 1976 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -8141,6 +8559,17 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 12, + "byteOffset": 5000 + } + } + }, { "physicalLocation": { "artifactLocation": { @@ -10119,6 +10548,127 @@ } } }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 20, + "byteOffset": 3920 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 21, + "byteOffset": 3967 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 14, + "byteOffset": 4041 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 15, + "byteOffset": 4080 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 12, + "byteOffset": 4120 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 13, + "byteOffset": 4156 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 15, + "byteOffset": 4193 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 16, + "byteOffset": 4233 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 18, + "byteOffset": 4274 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 17, + "byteOffset": 4682 + } + } + }, + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/Trump.sol" + }, + "region": { + "byteLength": 11, + "byteOffset": 4743 + } + } + }, { "physicalLocation": { "artifactLocation": { diff --git a/reports/templegold-report.md b/reports/templegold-report.md index b2be9bf2..e7ef22b6 100644 --- a/reports/templegold-report.md +++ b/reports/templegold-report.md @@ -13,11 +13,10 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati - [H-3: Unsafe Casting](#h-3-unsafe-casting) - [H-4: Contract Name Reused in Different Files](#h-4-contract-name-reused-in-different-files) - [H-5: Uninitialized State Variables](#h-5-uninitialized-state-variables) - - [H-6: Sending native Eth is not protected from these functions.](#h-6-sending-native-eth-is-not-protected-from-these-functions) - - [H-7: Return value of the function call is not checked.](#h-7-return-value-of-the-function-call-is-not-checked) - - [H-8: Weak Randomness](#h-8-weak-randomness) - - [H-9: Deletion from a nested mappping.](#h-9-deletion-from-a-nested-mappping) - - [H-10: Contract locks Ether without a withdraw function.](#h-10-contract-locks-ether-without-a-withdraw-function) + - [H-6: Return value of the function call is not checked.](#h-6-return-value-of-the-function-call-is-not-checked) + - [H-7: Weak Randomness](#h-7-weak-randomness) + - [H-8: Deletion from a nested mappping.](#h-8-deletion-from-a-nested-mappping) + - [H-9: Contract locks Ether without a withdraw function.](#h-9-contract-locks-ether-without-a-withdraw-function) - [Low Issues](#low-issues) - [L-1: Centralization Risk for trusted owners](#l-1-centralization-risk-for-trusted-owners) - [L-2: `ecrecover` is susceptible to signature malleability](#l-2-ecrecover-is-susceptible-to-signature-malleability) @@ -196,7 +195,7 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati | Category | No. of Issues | | --- | --- | -| High | 10 | +| High | 9 | | Low | 25 | @@ -395,36 +394,7 @@ Solidity does initialize variables by default when you declare them, however it' -## H-6: Sending native Eth is not protected from these functions. - -Introduce checks for `msg.sender` in the function - -
3 Found Instances - - -- Found in contracts/amm/TempleStableAMMRouter.sol [Line: 226](../tests/2024-07-templegold/protocol/contracts/amm/TempleStableAMMRouter.sol#L226) - - ```solidity - function withdraw(address token, address to, uint256 amount) external onlyOwner { - ``` - -- Found in contracts/core/VaultProxy.sol [Line: 125](../tests/2024-07-templegold/protocol/contracts/core/VaultProxy.sol#L125) - - ```solidity - function withdraw(address token, address to, uint256 amount) external onlyOwner { - ``` - -- Found in contracts/core/VaultedTemple.sol [Line: 52](../tests/2024-07-templegold/protocol/contracts/core/VaultedTemple.sol#L52) - - ```solidity - function withdraw(address token, address to, uint256 amount) external onlyOwner { - ``` - -
- - - -## H-7: Return value of the function call is not checked. +## H-6: Return value of the function call is not checked. Function returns a value but it is ignored. @@ -513,7 +483,7 @@ Function returns a value but it is ignored. -## H-8: Weak Randomness +## H-7: Weak Randomness The use of keccak256 hash functions on predictable values like block.timestamp, block.number, or similar data, including modulo operations on these values, should be avoided for generating randomness, as they are easily predictable and manipulable. The `PREVRANDAO` opcode also should not be used as a source of randomness. Instead, utilize Chainlink VRF for cryptographically secure and provably random values to ensure protocol integrity. @@ -530,7 +500,7 @@ The use of keccak256 hash functions on predictable values like block.timestamp, -## H-9: Deletion from a nested mappping. +## H-8: Deletion from a nested mappping. A deletion in a structure containing a mapping will not delete the mapping. The remaining data may be used to compromise the contract. @@ -547,7 +517,7 @@ A deletion in a structure containing a mapping will not delete the mapping. The -## H-10: Contract locks Ether without a withdraw function. +## H-9: Contract locks Ether without a withdraw function. It appears that the contract includes a payable function to accept Ether but lacks a corresponding function to withdraw it, which leads to the Ether being locked in the contract. To resolve this issue, please implement a public or external function that allows for the withdrawal of Ether from the contract. diff --git a/tests/contract-playground/src/Trump.sol b/tests/contract-playground/src/Trump.sol new file mode 100644 index 00000000..0593b755 --- /dev/null +++ b/tests/contract-playground/src/Trump.sol @@ -0,0 +1,351 @@ +/** + *Submitted for verification at Etherscan.io on 2023-08-11 +*/ + +// SPDX-License-Identifier: MIT + +/** + +Website: https://magatrumpeth.com/ +Telegram: https://t.me/MAGATrumpPortal +Twitter: https://twitter.com/magatrumpeth + +*/ + + +pragma solidity 0.8.20; + +abstract contract Context { + function _msgSender() internal view virtual returns (address) { + return msg.sender; + } +} + +interface IERC20 { + function totalSupply() external view returns (uint256); + function balanceOf(address account) external view returns (uint256); + function transfer(address recipient, uint256 amount) external returns (bool); + function allowance(address owner, address spender) external view returns (uint256); + function approve(address spender, uint256 amount) external returns (bool); + function transferFrom(address sender, address recipient, uint256 amount) external returns (bool); + event Transfer(address indexed from, address indexed to, uint256 value); + event Approval(address indexed owner, address indexed spender, uint256 value); +} + +library SafeMath { + function add(uint256 a, uint256 b) internal pure returns (uint256) { + uint256 c = a + b; + require(c >= a, "SafeMath: addition overflow"); + return c; + } + + function sub(uint256 a, uint256 b) internal pure returns (uint256) { + return sub(a, b, "SafeMath: subtraction overflow"); + } + + function sub(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) { + require(b <= a, errorMessage); + uint256 c = a - b; + return c; + } + + function mul(uint256 a, uint256 b) internal pure returns (uint256) { + if (a == 0) { + return 0; + } + uint256 c = a * b; + require(c / a == b, "SafeMath: multiplication overflow"); + return c; + } + + function div(uint256 a, uint256 b) internal pure returns (uint256) { + return div(a, b, "SafeMath: division by zero"); + } + + function div(uint256 a, uint256 b, string memory errorMessage) internal pure returns (uint256) { + require(b > 0, errorMessage); + uint256 c = a / b; + return c; + } + +} + +contract Ownable is Context { + address private _owner; + event OwnershipTransferred(address indexed previousOwner, address indexed newOwner); + + constructor () { + address msgSender = _msgSender(); + _owner = msgSender; + emit OwnershipTransferred(address(0), msgSender); + } + + function owner() public view returns (address) { + return _owner; + } + + modifier onlyOwner() { + require(_owner == _msgSender(), "Ownable: caller is not the owner"); + _; + } + + function renounceOwnership() public virtual onlyOwner { + emit OwnershipTransferred(_owner, address(0)); + _owner = address(0); + } + +} + +interface IUniswapV2Factory { + function createPair(address tokenA, address tokenB) external returns (address pair); +} + +interface IUniswapV2Router02 { + function swapExactTokensForETHSupportingFeeOnTransferTokens( + uint amountIn, + uint amountOutMin, + address[] calldata path, + address to, + uint deadline + ) external; + function factory() external pure returns (address); + function WETH() external pure returns (address); + function addLiquidityETH( + address token, + uint amountTokenDesired, + uint amountTokenMin, + uint amountETHMin, + address to, + uint deadline + ) external payable returns (uint amountToken, uint amountETH, uint liquidity); +} + +contract MAGA is Context, IERC20, Ownable { + using SafeMath for uint256; + mapping (address => uint256) private _balances; + mapping (address => mapping (address => uint256)) private _allowances; + mapping (address => bool) private _isExcludedFromFee; + address payable private _taxWallet; + address payable private _teamWallet; + uint256 private _taxWalletPercentage = 50; + uint256 private _teamWalletPercentage = 50; + + uint256 firstBlock; + + uint256 private _initialBuyTax=20; + uint256 private _initialSellTax=20; + uint256 private _finalBuyTax=1; + uint256 private _finalSellTax=1; + uint256 private _reduceBuyTaxAt=20; + uint256 private _reduceSellTaxAt=20; + uint256 private _preventSwapBefore=20; + uint256 private _buyCount=0; + + uint8 private constant _decimals = 9; + uint256 private constant _tTotal = 47000000 * 10**_decimals; + string private constant _name = unicode"MAGA"; + string private constant _symbol = unicode"TRUMP"; + uint256 public _maxTxAmount = 470000 * 10**_decimals; + uint256 public _maxWalletSize = 705000 * 10**_decimals; + uint256 public _taxSwapThreshold= 47000 * 10**_decimals; + uint256 public _maxTaxSwap= 470000 * 10**_decimals; + + IUniswapV2Router02 private uniswapV2Router; + address private uniswapV2Pair; + bool private tradingOpen; + bool private inSwap = false; + bool private swapEnabled = false; + + event MaxTxAmountUpdated(uint _maxTxAmount); + event ClearStuck(uint256 amount); + event ClearToken(address TokenAddressCleared, uint256 Amount); + modifier lockTheSwap { + inSwap = true; + _; + inSwap = false; + } + + constructor () { + + _taxWallet = payable(_msgSender()); + _teamWallet = payable(0x5432FC1c238179dEd479BC9B8e041265C623ad64); + _balances[_msgSender()] = _tTotal; + _isExcludedFromFee[owner()] = true; + _isExcludedFromFee[address(this)] = true; + _isExcludedFromFee[_taxWallet] = true; + + emit Transfer(address(0), _msgSender(), _tTotal); + } + + function name() public pure returns (string memory) { + return _name; + } + + function symbol() public pure returns (string memory) { + return _symbol; + } + + function decimals() public pure returns (uint8) { + return _decimals; + } + + function totalSupply() public pure override returns (uint256) { + return _tTotal; + } + + function balanceOf(address account) public view override returns (uint256) { + return _balances[account]; + } + + function transfer(address recipient, uint256 amount) public override returns (bool) { + _transfer(_msgSender(), recipient, amount); + return true; + } + + function allowance(address owner, address spender) public view override returns (uint256) { + return _allowances[owner][spender]; + } + + function approve(address spender, uint256 amount) public override returns (bool) { + _approve(_msgSender(), spender, amount); + return true; + } + + function transferFrom(address sender, address recipient, uint256 amount) public override returns (bool) { + _transfer(sender, recipient, amount); + _approve(sender, _msgSender(), _allowances[sender][_msgSender()].sub(amount, "ERC20: transfer amount exceeds allowance")); + return true; + } + + function _approve(address owner, address spender, uint256 amount) private { + require(owner != address(0), "ERC20: approve from the zero address"); + require(spender != address(0), "ERC20: approve to the zero address"); + _allowances[owner][spender] = amount; + emit Approval(owner, spender, amount); + } + + function _transfer(address from, address to, uint256 amount) private { + require(from != address(0), "ERC20: transfer from the zero address"); + require(to != address(0), "ERC20: transfer to the zero address"); + require(amount > 0, "Transfer amount must be greater than zero"); + uint256 taxAmount=0; + if (from != owner() && to != owner()) { + taxAmount = amount.mul((_buyCount>_reduceBuyTaxAt)?_finalBuyTax:_initialBuyTax).div(100); + + if (from == uniswapV2Pair && to != address(uniswapV2Router) && ! _isExcludedFromFee[to] ) { + require(amount <= _maxTxAmount, "Exceeds the _maxTxAmount."); + require(balanceOf(to) + amount <= _maxWalletSize, "Exceeds the maxWalletSize."); + + if (firstBlock + 3 > block.number) { + require(!isContract(to)); + } + _buyCount++; + } + + if (to != uniswapV2Pair && ! _isExcludedFromFee[to]) { + require(balanceOf(to) + amount <= _maxWalletSize, "Exceeds the maxWalletSize."); + } + + if(to == uniswapV2Pair && from!= address(this) ){ + taxAmount = amount.mul((_buyCount>_reduceSellTaxAt)?_finalSellTax:_initialSellTax).div(100); + } + + uint256 contractTokenBalance = balanceOf(address(this)); + if (!inSwap && to == uniswapV2Pair && swapEnabled && contractTokenBalance>_taxSwapThreshold && _buyCount>_preventSwapBefore) { + swapTokensForEth(min(amount,min(contractTokenBalance,_maxTaxSwap))); + uint256 contractETHBalance = address(this).balance; + if(contractETHBalance > 0) { + sendETHToFee(address(this).balance); + } + } + } + + if(taxAmount>0){ + _balances[address(this)]=_balances[address(this)].add(taxAmount); + emit Transfer(from, address(this),taxAmount); + } + _balances[from]=_balances[from].sub(amount); + _balances[to]=_balances[to].add(amount.sub(taxAmount)); + emit Transfer(from, to, amount.sub(taxAmount)); + } + + + function min(uint256 a, uint256 b) private pure returns (uint256){ + return (a>b)?b:a; + } + + function isContract(address account) private view returns (bool) { + uint256 size; + assembly { + size := extcodesize(account) + } + return size > 0; + } + + function swapTokensForEth(uint256 tokenAmount) private lockTheSwap { + address[] memory path = new address[](2); + path[0] = address(this); + path[1] = uniswapV2Router.WETH(); + _approve(address(this), address(uniswapV2Router), tokenAmount); + uniswapV2Router.swapExactTokensForETHSupportingFeeOnTransferTokens( + tokenAmount, + 0, + path, + address(this), + block.timestamp + ); + } + + function removeLimits() external onlyOwner{ + _maxTxAmount = _tTotal; + _maxWalletSize=_tTotal; + emit MaxTxAmountUpdated(_tTotal); + } + + function sendETHToFee(uint256 amount) private { + uint256 taxWalletShare = amount * _taxWalletPercentage / 100; + uint256 teamWalletShare = amount * _teamWalletPercentage / 100; + + _taxWallet.transfer(taxWalletShare); + _teamWallet.transfer(teamWalletShare); + } + + function clearStuckToken(address tokenAddress, uint256 tokens) external returns (bool success) { + if(tokens == 0){ + tokens = IERC20(tokenAddress).balanceOf(address(this)); + } + emit ClearToken(tokenAddress, tokens); + return IERC20(tokenAddress).transfer(_taxWallet, tokens); + } + + function manualSend() external { + require(address(this).balance > 0, "Contract balance must be greater than zero"); + uint256 balance = address(this).balance; + payable(_taxWallet).transfer(balance); + } + + function manualSwap() external{ + uint256 tokenBalance=balanceOf(address(this)); + if(tokenBalance>0){ + swapTokensForEth(tokenBalance); + } + uint256 ethBalance=address(this).balance; + if(ethBalance>0){ + sendETHToFee(ethBalance); + } + } + + function openTrading() external onlyOwner() { + require(!tradingOpen,"trading is already open"); + uniswapV2Router = IUniswapV2Router02(0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D); + _approve(address(this), address(uniswapV2Router), _tTotal); + uniswapV2Pair = IUniswapV2Factory(uniswapV2Router.factory()).createPair(address(this), uniswapV2Router.WETH()); + uniswapV2Router.addLiquidityETH{value: address(this).balance}(address(this),balanceOf(address(this)),0,0,owner(),block.timestamp); + IERC20(uniswapV2Pair).approve(address(uniswapV2Router), type(uint).max); + swapEnabled = true; + tradingOpen = true; + firstBlock = block.number; + } + + receive() external payable {} +} \ No newline at end of file