The documentation states that a maximum of 4 Non-Fungible Tokens (NFTs) can be staked, earning 1 Cred ERC20 per day staked, up to a maximum of 4 tokens. However, upon code review, it was found that there is no implementation restricting the number of tokens that can be staked to 4.
The vulnerability lies in the absence of code logic to enforce the maximum of 4 tokens being staked. The stake
function within the smart contract allows users to stake any number of tokens without any restriction. Here's the relevant code snippet:
As per the documentation, there should be a validation mechanism within the stake
function to ensure that a maximum of 4 tokens can be staked. However, no such validation is present in the provided code.
Without the enforcement of the maximum stake limit, users can stake an unlimited number of tokens, potentially leading to disproportionate rewards and imbalance in the system. This could impact the token economy and disrupt the intended functionality of the staking mechanism.
The audit was conducted through manual code review and analysis of the provided documentation. No automated tools were used for this assessment.
Implement Stake Limit: Introduce code logic within the stake
function to enforce the maximum limit of 4 tokens that can be staked per user. This validation should be based on the current number of tokens staked by the user.
Update Documentation: Ensure that the documentation accurately reflects the implemented code logic, including any limitations or constraints on token staking.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.