Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

scripts/test/deploy/modules/deploy-core.ts

kp8877

Your code appears to be a deployment script for a smart contract system related to a token (SDL) and its associated components. Here are some potential vulnerabilities and considerations you might want to address:

1. Reentrancy Attacks

  • If any of the contracts being deployed or interacted with have external calls (especially those that transfer Ether or tokens), ensure that functions that modify state do not call external contracts before completing state changes. Consider using a reentrancy guard pattern (e.g., the nonReentrant modifier in OpenZeppelin) if necessary.

2. Access Control

  • Ensure that sensitive functions (like setDelegatorPool) are properly protected with access control mechanisms, such as the onlyOwner modifier from OpenZeppelin's Ownable contract or similar patterns. This prevents unauthorized users from calling these functions.

3. Input Validation

  • Validate input parameters before deploying contracts or executing functions. For example, check that maxLockingDuration is greater than minLockingDuration in LinearBoostControllerArgs to prevent logical errors.

4. Magic Numbers

  • The use of magic numbers (like 86400 for 1 day) makes the code less readable. Consider defining constants for these values (e.g., const ONE_DAY = 86400;) to improve clarity.

5. Error Handling

  • Ensure that you are handling errors appropriately in your deployment process. Consider wrapping async calls in try/catch blocks and logging errors.

6. Gas Limit

  • Depending on the deployment environment, ensure you set appropriate gas limits for transactions, especially if you anticipate high computational requirements during contract execution.

7. Contract Initialization

  • Ensure that any necessary state initialization occurs in the constructor or through dedicated initialization functions. Uninitialized variables can lead to vulnerabilities.

8. Upgradeability Risks

  • If you are deploying upgradeable contracts, be aware of the risks associated with them, such as proxy pattern vulnerabilities. Ensure that your implementation conforms to secure upgradeability standards (e.g., use OpenZeppelin's Transparent Proxy pattern).

9. Token Contract Audit

  • Ensure that the StakingAllowance, DelegatorPool, LinearBoostController, and other token contracts have been audited for vulnerabilities. Common issues include reentrancy, overflow/underflow, and incorrect access controls.

10. Testing

  • Ensure thorough testing of all contracts and functions, including unit tests and integration tests, to identify potential issues before deploying to production.

Example Modifications

Here's how you could modify the code to include some of these recommendations:

import { ERC677 } from '../../../../typechain-types';
import {
updateDeployments,
deploy,
getContract,
deployUpgradeable,
} from '../../../utils/deployment';
// Constants
const ONE_DAY = 86400; // 1 day in seconds
const MAX_LOCKING_DURATION = 4 * 365 * ONE_DAY; // 4 years in seconds
// SDL Token
const SDLTokenArgs = {
name: 'stake.link', // SDL token name
symbol: 'SDL', // SDL token symbol
};
// Linear Boost Controller
const LinearBoostControllerArgs = {
minLockingDuration: ONE_DAY, // minimum locking duration
maxLockingDuration: MAX_LOCKING_DURATION, // maximum locking duration
maxBoost: 8, // maximum boost amount
};
// SDL Pool Primary
const SDLPoolPrimaryArgs = {
derivativeTokenName: 'Reward Escrowed SDL', // SDL staking derivative token name
derivativeTokenSymbol: 'reSDL', // SDL staking derivative token symbol
};
// Delegator Pool (deprecated)
const DelegatorPool = {
derivativeTokenName: 'Staked SDL', // SDL staking derivative token name
derivativeTokenSymbol: 'stSDL', // SDL staking derivative token symbol
};
export async function deployCore() {
try {
const lplToken = (await getContract('LPLToken')) as ERC677;
const sdlToken = await deploy('StakingAllowance', [SDLTokenArgs.name, SDLTokenArgs.symbol]);
console.log('SDLToken deployed: ', sdlToken.target);
const lplMigration = await deploy('LPLMigration', [lplToken.target, sdlToken.target]);
console.log('LPLMigration deployed: ', lplMigration.target);
const delegatorPool = await deployUpgradeable('DelegatorPool', [
sdlToken.target,
DelegatorPool.derivativeTokenName,
DelegatorPool.derivativeTokenSymbol,
[],
]);
console.log('DelegatorPool deployed: ', delegatorPool.target);
const lbc = await deploy('LinearBoostController', [
LinearBoostControllerArgs.minLockingDuration,
LinearBoostControllerArgs.maxLockingDuration,
LinearBoostControllerArgs.maxBoost,
]);
console.log('LinearBoostController deployed: ', lbc.target);
const sdlPoolPrimary = await deployUpgradeable('SDLPoolPrimary', [
SDLPoolPrimaryArgs.derivativeTokenName,
SDLPoolPrimaryArgs.derivativeTokenSymbol,
sdlToken.target,
lbc.target,
]);
console.log('SDLPool deployed: ', sdlPoolPrimary.target);
await (await sdlPoolPrimary.setDelegatorPool(delegatorPool.target)).wait();
updateDeployments(
{
SDLToken: sdlToken.target,
LPLMigration: lplMigration.target,
LinearBoostController: lbc.target,
SDLPool: sdlPoolPrimary.target,
DelegatorPool: delegatorPool.target,
},
{ SDLToken: 'StakingAllowance', SDLPool: 'SDLPoolPrimary' }
);
} catch (error) {
console.error('Deployment error: ', error);
}
}

Conclusion

It's essential to perform a comprehensive review of your smart contracts, especially when deploying in a production environment. Security audits and testing are crucial steps to ensure the integrity and safety of your deployed contracts.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.