DESCRIPTION
The core contracts covered in this audit include restaking-base and lpos_market in https://github.com/octopus-network/restaking-base and https://github.com/octopus-network/lpos_market. The audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.
Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations. In summary, we have found that the codebase contains several critical issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered.The Octopus team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.
KEY FINDINGS
In total, we find 32 potential issues in the smart contract. We also have 6 recommendations and 1 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | High | Incorrect Caller Verification in Function ft_on_transfer() | DeFi Security | Fixed |
| 2 | High | Lack of Check in Function slash_request() | DeFi Security | Fixed |
| 3 | High | Lack of Check in Function handle_anchor_deposit_reward_msg() | DeFi Security | Confirmed |
| 4 | High | Incorrect Calculation of Validator Commission | DeFi Security | Fixed |
| 5 | Low | Incorrect Validation in Function deploy() | DeFi Security | Confirmed |
| 6 | Medium | Failure of Cross-Contract Call Result Handling | DeFi Security | Confirmed |
| 7 | Medium | Incorrect Validation in Function delegate() | DeFi Security | Confirmed |
| 8 | High | Incorrect Slash Amount | DeFi Security | Fixed |
| 9 | High | Incorrect Use of max()/min() | DeFi Security | Fixed |
| 10 | High | Funds Loss Due to Unsaved Treasury Account | DeFi Security | Fixed |
| 11 | High | Potential DoS Due to Inappropriate Implementation of Locking Logic | DeFi Security | Confirmed |
| 12 | High | Unrefunded NEAR in function stake_after_check_whitelisted() | DeFi Security | Fixed |
| 13 | Medium | Incorrect Rounding Direction | DeFi Security | Fixed |
| 14 | Medium | Potential Panic in Callback Function bond_callback() | DeFi Security | Fixed |
| 15 | High | Ineffective Lock on Important Functions | DeFi Security | Fixed |
| 16 | Low | Lack of Pause Functionality in Function bond() | DeFi Security | Fixed |
| 17 | Medium | Unrefunded Storage Fee of Failed Cross-contract Invocations | DeFi Security | Confirmed |
| 18 | High | Incorrect Amount of NEAR Attached in Function change_key() | DeFi Security | Fixed |
| 19 | Medium | Incorrect Gas Setting in the Function bond() | DeFi Security | Fixed |
| 20 | Medium | Unintended Overpayment of Fees by Contract Account | DeFi Security | Fixed |
| 21 | High | Failure to Clear State Due to Delayed State Saving | DeFi Security | Fixed |
| 22 | High | Potential DoS in internal_slash_in_staker_shares() | DeFi Security | Fixed |
| 23 | High | Incorrect Penalty Amount in the Slash Process | DeFi Security | Fixed |
| 24 | Medium | Unlimited Delay in Asset Withdrawal Due to Continuous Invocation of decease_stake() | DeFi Security | Fixed |
| 25 | Low | Unrefunded STORAGE_FEE of Released Storage | DeFi Security | Confirmed |
| 26 | Low | No Storage Fee Charged in Function sync_consumer_chain_pos() | DeFi Security | Confirmed |
| 27 | High | Unlimited Withdrawn with Reused UnstakeBatchId | DeFi Security | Fixed |
| 28 | High | Potential Panic in Callback Function stake_after_check_whitelisted() | DeFi Security | Fixed |
| 29 | Medium | Lack of Storage Fee Charge | DeFi Security | Confirmed |
| 30 | High | Panic in Callback Function stake_callback() | DeFi Security | Fixed |
| 31 | High | Potential DoS in Function destroy() | DeFi Security | Confirmed |
| 32 | High | Potential Panic in Function transfer_near() | DeFi Security | Confirmed |
| 33 | Redundant code | Recommendation | Fixed | |
| 34 | - | Lack of Validation for Register Fee | Recommendation | Confirmed |
| 35 | - | Lack of Check in Function delegate | Recommendation | Fixed |
| 36 | - | Incorrect Error Message | Recommendation | Fixed |
| 37 | - | Refunding Excessive Registration Fee to Incorrect Recipients | Recommendation | Fixed |
| 38 | - | Lack of Check on Account's NEAR Balance | Recommendation | Fixed |
| 39 | - | TPotential Centralization Problem | Note | Confirmed |
More details are provided in the audit report.