Post bounties and services on Farcaster by tagging me. Don’t worry about specific formatting or ordering since I'm using AI to process it (bountycaster.xyz) /bounties. FAQ: bountycaster.xyz/FAQ

100 USDC for running your .sol files through our new tool (swarm.0xmacro.com) to find vulnerabilities, and classify which ones were accurate and which were false positives / irrelevant. @bountybot

I ran a set of contracts (~2500 LOC) that are already deployed through it. It reported 3 medium risk issues, 18 low risk issues, 51 code quality issues and 37 gas optimizations. All three medium risk issues were false positives/irrelevant imo, will reply below with details

1) Centralization issue caused by admin privileges

This one feels irrelevant to me, I made an active choice to use an ownable contract. I guess it makes sense that it is a medium risk for users of the project though

3) Dangerous use of mint instead of safeMint

This is a false positive, the contract has a private function called _mint that is called in two places which is what's reported, but the _mint function calls safeMint.

A couple of the low risk issues are legit things that would be nice to fix though, and all the gas optimization improvements are legit!

Low risk issues that are false positives:

3) External calls in an unbounded loop can result in a DoS

There's a `if (length > X) revert Invalid()` check on the line before the loop for one of the instances that were reported. All external calls are also to a contract that is set by the contract owner, so less risk

5) Missing limits when setting min/max amounts

2/3 reported instances have nothing to do with limits at all, and the third is something like a setClaimsUsed(address,uint256 allowClaims,uint256 waitlistClaims) so not relevant. Seems to match only on function signature/parameters?

2) It's possible to mint to address(0)

This is a false positive, there is no mint function that accepts a to argument, it always mints to msg.sender