Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Pye>Low findings>Missing referrer-account constraint
GeneralOverview
Findings
Critical (2)
High (1)
Medium (1)
Low (4)Redeeming later is better for YT holdersRedeeming can be blocked by empty GCPFee-deposit accounts are missing associated-token-account constraintMissing referrer-account constraint
DiscussionUntrusted bond creationMissing constraintsGlob re-export clobberingBond timestampsPotential deadlocks when slashedTest suite
DesignSolo validator bondsStake pools
Audit ResultsAssessment Results
Category: Coding Mistakes

Missing referrer-account constraint

Low Impact
Low Severity
Low Likelihood

Description

Some stake pools may have referral fees set, which give a bonus to a specific referrer account upon deposit.

The test case for depositing into a stake pool on Pye sets this referrer account to the fee wallet, but the program has no constraints for this field.

Impact

A user could deposit into a stake pool without setting the referrer account to the fee wallet, causing the protocol to miss out on fees.

Recommendations

If the program is intended to collect referral fees, add a constraint to the account to ensure it is the bond's LST-fee wallet.

Remediation

This issue has been acknowledged by Pye in the Sky Labs Ltd., and a fix was implemented in commit 5bb0bc75.

Zellic © 2025Back to top ↑