GoPlus: Hello 402 contract has the risk of unlimited issuance and centralized manipulation

GoPlus Chinese community disclosed on platform X that the Hello 402 contract has some hidden risks------infinite issuance and centralized manipulation risks.

1. The administrator address has extremely high permissions, fully controlling the minting and distribution of H402 tokens. For example: the addTokenCredits function allows the administrator to allocate H402 token minting shares to users, but does not check whether it will exceed the MAX_SUPPLY total, potentially creating a backdoor for infinite issuance; the redeemTokenCredits function allows users to actually mint H402 tokens based on their shares; the WithdrawDevToken function allows the administrator address to mint all unallocated shares in one go, posing a high risk of centralized manipulation.

2. The project party stated in X that the WithdrawDevToken function is only used for "token replenishment," "ecological incentives," and "profit space" commitments after the private placement ends, none of which have been specifically implemented at the contract level, leading to a high risk of centralized default. Previously, OKX stated that it has launched an investigation into the abnormal behavior of Hello 402 and will continue to track on-chain evidence while reserving the right to take legal action.