Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

test/metisStaking/sequencer-vcs.test.ts

kp8877

Let's analyze the provided Solidity test code for vulnerabilities and suggest improvements, including detailed solutions. I'll focus on common areas of concern in smart contracts, such as reentrancy, gas limit issues, error handling, and best practices.

1. Reentrancy Vulnerability

Issue:

The deposit, depositQueuedTokens, and updateStrategyRewards functions could be susceptible to reentrancy attacks, especially if they interact with external contracts or transfer tokens.

Solution:

To mitigate reentrancy risks, you should implement the checks-effects-interactions pattern. Here’s how to implement it:

Locking the Contract: Introduce a reentrancy guard.

bool private locked;

modifier nonReentrant() {

require(!locked, "No reentrancy");

locked = true;

locked = false;

}

Applying the Modifier: Use this modifier in the functions where external calls are made.

function deposit(address account, uint256 amount, bytes calldata data) external nonReentrant {

// ... function logic

}

2. Input Validation

Issue:

Functions like addVault, depositQueuedTokens, and others accept addresses and amounts without validation, which can lead to undesired behavior or unexpected interactions with other contracts.

Solution:

Input Validation: Ensure that addresses are valid and amounts are non-zero.

function addVault(address pubkey, address controller, address receiver) external {

require(pubkey != address(0), "Invalid pubkey");

require(controller != address(0), "Invalid controller");

require(receiver != address(0), "Invalid receiver");

// ... continue logic

}

3. Gas Limit Issues

Issue:

The number of vaults or the amount of tokens being processed may lead to out-of-gas errors in transactions.

Solution:

Batch Processing: Instead of processing multiple deposits in a single transaction, consider implementing batch processing with a limit to avoid hitting gas limits.

function depositQueuedTokens(uint256[] memory vaultIds, uint256[] memory amounts) external {

require(vaultIds.length == amounts.length, "Mismatched lengths");

for (uint256 i = 0; i < vaultIds.length; i++) {

require(amounts[i] > 0, "Amount must be greater than 0");

// process each deposit

}

4. Error Handling

Issue:

The code uses assertions (assert) which will revert transactions, but they are not ideal for user-facing functions where you want to provide more informative error messages.

Solution:

Use require for Conditions: Replace assertions with require to provide meaningful error messages.

require(condition, "Error Message");

5. Access Control

Issue:

Functions like setCCIPController, setManager, and addStrategy should ensure that only authorized addresses can call them.

Solution:

Implement Access Control: Utilize OpenZeppelin's Ownable or similar pattern to manage access rights.

import "@openzeppelin/contracts/access/Ownable.sol";

contract MyContract is Ownable {

function setCCIPController(address newController) external onlyOwner {

// logic

}

6. Optimizing Token Transfers

Issue:

When transferring tokens, ensure that the entire transfer is successful, or it should revert to avoid partial state changes.

Solution:

Using SafeERC20: Use OpenZeppelin's SafeERC20 for safe transfers and allowance checks.

import "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";

using SafeERC20 for IERC20;

function deposit(uint256 amount) external {

token.safeTransferFrom(msg.sender, address(this), amount);

}

7. Event Emission

Issue:

Not emitting events for significant state changes can make it hard to track on-chain activities and may hinder off-chain integrations.

Solution:

Emit Events: Add events for critical state changes like deposits, withdrawals, and strategy updates.

event Deposited(address indexed user, uint256 amount);

event VaultAdded(address indexed vault);

function deposit(uint256 amount) external {

// ...

emit Deposited(msg.sender, amount);

}

Summary of Proposed Changes

Implement reentrancy guards.
Add input validation for critical functions.
Consider batch processing for potentially gas-intensive operations.
Use require for error handling instead of assert.
Integrate access control using Ownable or similar patterns.
Utilize SafeERC20 for token interactions.
Emit events for significant actions in the contract.

These improvements can help secure the contract against common vulnerabilities and make it more robust and user-friendly.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.