Findings
Issue 01
Type | Severity | Location | Status |
Logical Issue | Informational |
| ❌ Not Resolved |
Description
if _amount is 0, this function will penalize the user even though they didn't withdraw any tokens.
Issue 02
Type | Severity | Location | Status |
Logical Issue | Informational |
| ✔️Resolved |
Description
_updatePool does nothing when block.number < startBlock, because startBlock will always be less than lastReward.
Recommendation
Consider removing the call to _updatePool.
Issue 03
Type | Severity | Location | Status |
Owner Capabilities | Informational |
| ❌ Not Resolved |
Description
The owner can set the startBlock to the future, preventing stakers from getting rewards until startBlock is reached.
Issue 04
Type | Severity | Location | Status |
Logical Issue | Low |
| ✔️ Resolved |
Description
stakedTokenSupply may not reflect the actual deposit amount. Malicious user can send tokens to the contract directly, increasing its balance and reducing the rewards.
Recommendation
Use a variable that tracks the staked number of contracts.
General Notes
If
rewardHolderis a contract, the team needs to have a way to externally increase the allowance of the staking contract.We recommend adding a timelock to the penalty update functions, to ensure users have enough time to review the changes.
Last updated