Audit Report
MEV / Flash-loan bot — published (deployer anonymised)
Two Critical authorization flaws plus three High issues. Embargo lifted on 2026-05-31 after deployer confirmed zero on-chain funds.
Tier
Standard
Submitted
2026-05-28
Findings
9
Disclosure Notice
Findings were embargoed under the responsible-disclosure clause from 2026-05-28 to 2026-05-31. Published after deployer confirmed the contract holds no on-chain funds. Deployer identity remains anonymised in the public report.
Findings
Full descriptions, code snippets, PoCs and remediation in the PDF report.
- C-01Critical
pancakeCall() has no caller authentication — anyone can drain the contract
Scope: FlashLoanBot.sol · LLM auditor (Claude Opus 4.7)
- C-02Critical
pancakeCall trusts arbitrary calldata — full token-approval hijack
Scope: FlashLoanBot.sol · LLM auditor (Claude Opus 4.7)
- H-01High
Both swaps use amountOutMin = 0 — 100% sandwich-attack exposure
Scope: FlashLoanBot.sol · LLM auditor (Claude Opus 4.7)