Private EngagementPrivateBSCAnonymisedPublished

Audit Report

MEV / Flash-loan bot — published (deployer anonymised)

Two Critical authorization flaws plus three High issues. Embargo lifted on 2026-05-31 after deployer confirmed zero on-chain funds.

Published — embargo lifted (deployer confirmed zero funds)

Tier

Standard

Submitted

2026-05-28

Findings

9

2 Critical3 High2 Medium1 Low1 Info

Disclosure Notice

Findings were embargoed under the responsible-disclosure clause from 2026-05-28 to 2026-05-31. Published after deployer confirmed the contract holds no on-chain funds. Deployer identity remains anonymised in the public report.

Findings

Full descriptions, code snippets, PoCs and remediation in the PDF report.

  • C-01

    pancakeCall() has no caller authentication — anyone can drain the contract

    Scope: FlashLoanBot.sol · LLM auditor (Claude Opus 4.7)

    Critical
  • C-02

    pancakeCall trusts arbitrary calldata — full token-approval hijack

    Scope: FlashLoanBot.sol · LLM auditor (Claude Opus 4.7)

    Critical
  • H-01

    Both swaps use amountOutMin = 0 — 100% sandwich-attack exposure

    Scope: FlashLoanBot.sol · LLM auditor (Claude Opus 4.7)

    High