B3x.

In contract sale.sol, there is depositUsdc() function in which the user deposits the usdc amount to get the project’s B3X tokens in return. Here on L105 there is transferFrom function in which beneficiary variable is used for from parameter. If a userA has approval of tokens from some other userB for some tokens then userA can put userB as beneficiary which will result in draining the funds of userB.

In contract sale.sol, there is Initialize() function where the owner calls the function to set the sale starting and ending time period. The issue here is that Initialize() function can be called many times with different start and end times. There is no direct harm but say if the attacker gets access to the owner's private key and then can access the contract. There won’t be any monetary problem but it’ll result in users' deposits getting denied if sale is initialized more than once.

In token sale contract currently the user amount deposit calculation is dependent on how much B3X tokens are in the contract therefore, if user is to deposit 2000 USDC which is maximum token allowed to buy B3X tokens then at-least more than 100K B3X tokens should be present for first few users to deposit/buy with full 2000 USDC amount.

In constructor() of the contract sale.sol there should be a check for zero address for b3x and usdc contracts. Even though it does not seem necessary and owner is trusted and puts correct addresses. To actually ensure safety it is recommended to use zero address check.

Consider using a specific version of Solidity in your contracts instead of a wide version. For example, instead of pragma solidity ^0.8.0;, use pragma solidity 0.8.0;