Cross Chain Farming smart contracts final audit report

Audit by: HashEx
Prepared for: Cross Chain Farming

This audit report was generated for Cross Chain Farming with CryptEx token constructor. The audited code is deployed at 0x7f9528b913A99989B88104b633D531241591A358 in

Binance Smart Chain (BSC).
The purpose of this audit was to achieve the following:

Identify potential security issues with smart contracts. Formally check the logic behind given smart contracts.

Information in this report should be used to understand the risk exposure of smart contracts, and as a guide to improving the security posture of smart contracts by remediating the issues that were identified.

We hereby verify that the generated token has identical bytecode with the original audited token. The external audit of the same code was conducted by PaladinSec.

Contract

ReflectToken

Implementation of ERC20 token standard with the custom functionality of auto-yield by burning tokens and distributing the fees on transfers. Also has a marketing fee. Default fees values are: distributed between users (3%), automatic addition to liquidity(1%), burning (2%).

Issues

#01. addLiquidity() recipient

Severity: Medium
Status: Acknowledged

addLiquidity() function calls for swapRouter.addLiquidityETH() function with the parameter of LP tokens recipient set to the liquidityAddress. With time the liquidityAddress may accumulate a significant amount of LP tokens which may be dangerous for token economics if the owner acts maliciously or their account gets compromised. The owner can change the liquidityAddress address.

Recommendation: Investors should check if the liquidity is actually locked.

#02. No slippage checks on swaps and adding liquidity

Severity: Medium
Status: Acknowledged

The functions _swapTokensForBNB() and addLiquidity() do not perform slippage checks. The transactions may be front-runned.

Recommendation: This is an architectural decision, but the owner of the token should be aware that if the liqThreshold parameter is set to a big value it creates incentives on frontrun attacks.

#03. General recommendations

Severity: Low
Status: Acknowledged

We recommend adding a documentation section to the Project website to track any changes in token parameters made by the owner.

Conclusion

The audited contract is ERC20 token with a Reflect.finance auto-yield model with some changes such as the ability to swap itself to BNB and to add liquidity. The audited contract was generated with CryptEx token constructor.
No high severity issues were found.
The audited code is deployed at 0x7f9528b913A99989B88104b633D531241591A358 in Binance Smart Chain (BSC).

Audit includes recommendations on the code improving and preventing potential attacks.
Blockchain Security

References

1. CryptEx token constructor
2. Audit by PaladinSec
3. Reflect.finace github repo

HashEx website: https://hashex.org
Request an audit