PT-2026-34555

Impact The staking contract accepts UpdateValidator transactions that set new voting key=Some... while omitting new proof of knowledge. this skips the proof-of-knowledge requirement that is needed to prevent BLS rogue-key attacks when public keys are aggregated. Because tendermint macro block...

Permanent funds lock in StargateRewardableWrapper

Lines of code Vulnerability details Impact The staked funds might be locked because the deposit/withdraw/transfer logic reverts. Proof of Concept In StargateRewardableWrapper, claimAssetRewards claims the accumulated rewards from the staking contract and it's called during every...

First user can drain funds from staking contract

Lines of code Vulnerability details Impact If the first user locks an extremely small amount of tokens 1 wei, he can manipulate the reward that is supposed to receive. After locking a small amount, he can unlock it before the second user interacts with the contract. See PoC for more details. Note...

Risk of flashloan attacks in the Staking contract

Lines of code Vulnerability details Impact An attacker can steal a large amount of rewardsToken from the Staking contract by using flashloans, thus all the users will receive less rewards for their staked amounts. Proof of Concept In the Staking contract any user can stake a given amount of...

Rewards for the Staking.sol contract may be stolen via the first staker

Lines of code Vulnerability details Impact The return amount of the function rewardPerToken may be inflated for the first in the Staking.sol contract. Proof of Concept The Staking.sol contract is designed for the LOT token holders to be able to stake their native tokens. Thus, the token holders...

Division before multiplication lead to truncation

Lines of code Vulnerability details Impact Calculation could result in truncation. Proof of Concept Staking.solL60-L64 : function earnedaddress account public view override returns uint256 earned return balanceOfaccount rewardPerToken - userRewardPerTokenPaidaccount / 1e18 + rewardsaccount; above...

Malicious owner can steal funds

Lines of code Vulnerability details Impact if the owner is malicious, he can drain all funds to his wallet Proof of Concept Tools Used manual review Recommended Mitigation Steps 1. Transfer funds to special trusted contract so funds can be locked and safe. 2. amount input value limit so there...

NODE OPERATORS CAN WITHDRAW ALL THEIR GGP COLLATERAL BEFORE VALIDATION PERIOD ENDS THEREBY AVOIDING SLASHING.

Lines of code Vulnerability details Impact 1. Node operators can avoid slashing, thus no penalties. 2. Node operators can withdraw their entire GGP collateral before the validation period is over. Proof of Concept The withdrawGGP function in Staking.sol transfers back to node operator excess GGP...

Possible to block withdrawal of staked funds after recordStakingEnd or stakingError

Lines of code Vulnerability details Impact Node operators can lose their staked AVAX after stakingEnd or stakingError. Funds will be locked in the Staking contract, but impossible to withdraw. A bad actor does need to supply 1000 AVAX which he gets back and has not have real incentive to do it, b...

Possible DoS in Staking.claim() function

Lines of code Vulnerability details Impact In Staking contract, users are allowed to stake for another recipient. And it also updates warmUpInfo.expiry for recipient address so recipient can only claim after this new expiry is passed. Attackers can abuse this to constantly stake 1 wei for another...

arbitrage on stake()

Lines of code Vulnerability details Issue: there is a huge arb opportunity for people who deposit 1 block before the rebase Consequences: then they can call instantUnstakeReserve or instantUnstakeCurve to unstake the staked amount, in this way the profit that needs to be distributed on the next...

griefing on claim()

Lines of code Vulnerability details Issue: griefing can happen if coolDownPeriod is 0 due to the fact that you can stake for someone else, whenever a stake happens, the expiry variable increases with coolDownPeriod. This can be done either by watching the mempool and frontrun a stake when someone...

It's possible to perform DOS and fund lose in Stacking by transferring tokens directly to contract

Lines of code Vulnerability details Impact Function rebase in contract Staking calls Yieldy.rebaseprofit, and Yieldy.rebaseprofit, would revert if rebasingCredits / updatedTotalSupply was equal to 0. it's possible to transfer some STAKINGTOKEN directly to Stacking contract before or after...

No withdrawal possible for ETH TOKE pool

Lines of code Vulnerability details Impact The withdraw function of the ETH Tokemak pool has an additional parameter asEth. This can be seen in the Tokemak Github repository or also when looking at the deployed code of the ETH pool. Compare that to e.g. the USDC pool, which does not have this...

Staking tokens can be stolen

Lines of code Vulnerability details Impact The staking contract keeps track of shares of each user. When withdrawing from the staking contract the amount parameter is converted to shares and this value is decreased shares = amount / totalbalance totalshare. This shares calculation rounds down whi...

Potential div by 0

Handle 0xImpostor Vulnerability details Impact The staking contract will fail because you are unable to calculate float per second as it is trying to divide by 0. Potential div by 0 is found here i.e. totalLocked safeExponentBitShifting You are trying to right shift totalLocked by 52 bits so if...