Findings
Issue 01
Type
Severity
Location
Status
Logical Issue
Informational
withdraw
❌ Not Resolved
Description
if _amount is 0, this function will penalize the user even though they didn't withdraw any tokens.
Issue 02
Type
Severity
Location
Status
Logical Issue
Informational
updateRewardPerBlock
✔️Resolved
Description
_updatePool does nothing when block.number < startBlock, because startBlock will always be less than lastReward.
Recommendation
Consider removing the call to _updatePool.
Issue 03
Type
Severity
Location
Status
Owner Capabilities
Informational
updateStartAndEndBlocks
❌ Not Resolved
Description
The owner can set the startBlock to the future, preventing stakers from getting rewards until startBlock is reached.
Issue 04
Type
Severity
Location
Status
Logical Issue
Low
_updatePool
✔️ Resolved
Description
stakedTokenSupply may not reflect the actual deposit amount. Malicious user can send tokens to the contract directly, increasing its balance and reducing the rewards.
Recommendation
Use a variable that tracks the staked number of contracts.
General Notes
If
rewardHolderis a contract, the team needs to have a way to externally increase the allowance of the staking contract.We recommend adding a timelock to the penalty update functions, to ensure users have enough time to review the changes.
Last updated