One Shot: Reloaded
First Flight #47
Beginner FriendlyNFT
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: high

Staking for less than 24 hours gives no rewards or stat improvements.

Author Revealed upon completion

Root + Impact

Description

  • The unstake function is designed to calculate rewards based on the number of full days a Rapper has been staked. The specific issue is that the code uses integer division, which rounds down the result of staked_duration / 86400. This means any staking duration less than a full 24 hours (86,400 seconds) will be calculated as 0 days, and the user will not receive any rewards or stat improvements for that time.

// Root cause in the codebase with @> marks to highlight the relevant section
let staked_duration = timestamp::now_seconds() - stake_info.start_time_seconds; @>
let days_staked = staked_duration / 86400; @>

Risk

Likelihood:

  • This will occur whenever a user unstakes their NFT before a full 24-hour period has elapsed

  • Users are likely to test the staking feature with short durations, leading to this bug being easily discovered.

Impact:

  • Users are not rewarded for their time, leading to a poor user experience.

  • This can create a sense of unfairness and lead to a lack of trust in the protocol.

Proof of Concept

let staked_duration = timestamp::now_seconds() - stake_info.start_time_seconds; @>
let days_staked = staked_duration / 86400; @>

Recommended Mitigation

- let days_staked = staked_duration / 86400;
+ let hours_staked = staked_duration / 3600;
+ let days_staked = hours_staked / 24;

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.