Cradle of Sins

In the contract `CradleOfSins` the role `_owner` has authority over the functions shown in the diagram below.
Any compromise to the `_owner` account may allow the hacker to take advantage of this authority and change the contract settings.
![](https://accelerator-tasks-prod.acc.corp.certik.com/8606eb3b64b04803b34feea9aebef9f5/diagrams/centralization_CradleOfSins-CradleOfSins-_owner.svg)

Tokens are sent to `msg.sender` (deployer) when deploying the contract. This could be a centralization risk as the deployer can distribute tokens without obtaining the consensus of the community.

The contract `CradleOfSins` uses a version of solidity anterior to `0.8.0`, hence there are no built-in checks in the compiler for underflow. Take the `burn` function as an example, this might cause `_tOwned[msg.sender]` and `_tTotal` underflow.  The solidity version of the contract stays between `0.6.0` to `0.9.0`, and this could be used by an attacker.

Performing integer division before multiplication truncates the low bits, losing the precision of calculation.

```solidity=635
  uint256 feeAmount = amount * currentFee / masterTaxDivisor;
  uint256 burnAmount = (feeAmount * ratios.burn) / ratios.totalSwap;
```

The transaction may be charged fees, so the max holding of the receiver should be the sum of the held tokens and the amount received from the transfer. The fees should not be included in the max holding.

```solidity=501
                    require(balanceOf(to) + amount <= _maxWalletSize, "Transfer amount exceeds the maxWalletSize.");
```
- Max holding is checked.

```solidity=617
        uint256 amountReceived = (takeFee) ? takeTaxes(from, buy, sell, amount) : amount;
```
- Receiving amount is adjusted.

```solidity=618
        _tOwned[to] += amountReceived;
```
- Balance is increased by the adjusted amount.

There should always be events emitted in the sensitive functions that are controlled by centralization roles.

The **require** can be used to check for conditions and throw an exception if the condition is not met. It is better to provide a string message containing details about the error that will be passed back to the caller.

The contract is serving as the underlying entity to interact with one or more third party protocols. The scope of the audit treats third party entities as black boxes and assume their functional correctness. However, in the real world, third parties can be compromised and this may lead to lost or stolen assets. In addition, upgrades of third parties can possibly create severe impacts, such as increasing fees of third parties, migrating to new LP pools, etc.

```solidity=158
    IRouter02 public dexRouter;
```
- The contract `CradleOfSins` interacts with third party contract with `IRouter02` interface via `dexRouter`.


---
```solidity=182
    AntiSnipe antiSnipe;
```
- The contract `CradleOfSins` interacts with third party contract with `AntiSnipe` interface via `antiSnipe`.

The contract has unlocked compiler version. An unlocked compiler version in the source code of the contract permits the user to compile it at or above a particular version. This, in turn, leads to differences in the generated bytecode between compilations due to different compiler versions. This can lead to an ambiguity when debugging as compiler specific bugs may occur in the codebase that would be hard to identify over a span of multiple compiler versions rather than a specific one.

The event `AutoLiquify` is declared but never emitted.

It is not recommended to use Solidity's `transfer()` and `send()` functions for transferring Ether, since some contracts may not be able to receive the funds. Those functions forward only a fixed amount of gas (2300 specifically) and the receiving contracts may run out of gas before finishing the transfer. Also, EVM instructions' gas costs may increase in the future. Thus, some contracts that can receive now may stop working in the future due to the gas limitation.

```solidity=579
        payable(_owner).transfer(address(this).balance);
```
- `CradleOfSins.sweepContingency` uses `transfer()`.