Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: medium
Invalid

Unrestricted Staking Vulnerability in Streets.sol

Summary

The documentation states that a maximum of 4 Non-Fungible Tokens (NFTs) can be staked, earning 1 Cred ERC20 per day staked, up to a maximum of 4 tokens. However, upon code review, it was found that there is no implementation restricting the number of tokens that can be staked to 4.

Vulnerability Details

The vulnerability lies in the absence of code logic to enforce the maximum of 4 tokens being staked. The stake function within the smart contract allows users to stake any number of tokens without any restriction. Here's the relevant code snippet:

// Stake tokens by transferring them to this contract
function stake(uint256 tokenId) external {
stakes[tokenId] = Stake(block.timestamp, msg.sender);
emit Staked(msg.sender, tokenId, block.timestamp);
oneShotContract.transferFrom(msg.sender, address(this), tokenId);
}

As per the documentation, there should be a validation mechanism within the stake function to ensure that a maximum of 4 tokens can be staked. However, no such validation is present in the provided code.

Impact

Without the enforcement of the maximum stake limit, users can stake an unlimited number of tokens, potentially leading to disproportionate rewards and imbalance in the system. This could impact the token economy and disrupt the intended functionality of the staking mechanism.

Tools Used

The audit was conducted through manual code review and analysis of the provided documentation. No automated tools were used for this assessment.

Recommendations

  1. Implement Stake Limit: Introduce code logic within the stake function to enforce the maximum limit of 4 tokens that can be staked per user. This validation should be based on the current number of tokens staked by the user.

  2. Update Documentation: Ensure that the documentation accurately reflects the implemented code logic, including any limitations or constraints on token staking.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement
Assigned finding tags:

Max 4 rappers staked limit not enforced

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.