Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Points Farm>Low findings>Uneffective wETH limit
GeneralOverview
Findings
Critical (1)
High (1)
Medium (1)
Low (1)Uneffective wETH limit
Informational (2)
Audit ResultsAssessment Results
Category: Coding Mistakes

Uneffective wETH limit

Low Severity
Low Impact
Medium Likelihood

Description

The maximum amount staked by a user is set by the mapping tokenBalanceAllowList, which is configured by the constructor of the function setStakableAmount. When a user wants to deposit tokens, the amount sent is checked to be less than the limit and the amount already staked by the depositFor function. However, to deposit wETH, the function depositETHFor has to be used by the user:

function depositETHFor(address _for) external payable whenNotPaused {
    if (msg.value == 0) revert DepositAmountCannotBeZero();
    if (_for == address(0)) revert CannotDepositForZeroAddress();
    if (tokenBalanceAllowList[WETH_ADDRESS] == 0) revert TokenNotAllowedForStaking();

    balance[WETH_ADDRESS][_for] += msg.value;
    emit Deposit(++eventId, _for, WETH_ADDRESS, msg.value);

    IWETH(WETH_ADDRESS).deposit{value: msg.value}();
}

In this function, the limit is not checked, the maximum value is only checked to be nonzero. Thus, the user is allowed to deposit any amount as soon as the limit is nonzero.

Impact

Since the balance limit is ineffective for wETH, the contract is not able to control the amount of wETH staked.

Recommendations

We recommend to check the amount of wETH deposited as it is done in the depositFor function.

Remediation

Level is considering not accepting wETH anymore by setting the stakable amount to zero.

Zellic © 2025Back to top ↑