Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Staking>Threat Model>stake
GeneralOverview
Findings
High (1)
Medium (1)
Informational (2)
DiscussionDeployment failure could waste gasTesting coverage assessment
Threat ModelWhat are threat models?BonusDistributor.solRewardDistributor.sol
RewardTracker.sol_approve_transferapproveclaimclaimForAccountinitializesetDepositTokenstakestakeForAccounttransfertransferFromunstakeunstakeForAccount
StakingAdmin.solStakingRouter.solVester.solVesterNoReserve.sol
Audit ResultsSummary

Function: stake(address _depositToken, uint256 _amount)

Allows staking of tokens.

Inputs

  • _depositToken

    • Control: Controlled by the caller.

    • Constraints: Checked that the token is whitelisted (isDepositToken).

    • Impact: The token to be staked.

  • _amount

    • Control: Controlled by the caller.

    • Constraints: Checked that the amount is greater than zero. Also, in the safeTransferFrom call, it is checked that the _fundingAccount (in this case, msg.sender) has enough balance.

    • Impact: The amount of tokens to be staked.

Branches and code coverage (including function calls)

Intended branches

  • Checks that the token is whitelisted (isDepositToken).

  • Checks that the amount is greater than zero.

  • Checks that the _fundingAccount (in this case, msg.sender) has enough balance (safeTransferFrom).

  • Updates the rewards for the _account.

  • Updates the stakedAmounts for the _account.

  • Updates the depositBalances for the _account.

  • Updates the totalDepositSupply for the _depositToken.

  • Mints the _amount of tokens to the _account.

Negative behavior

  • Should not be callable if isPrivateStakingMode is true.

Zellic © 2025Back to top ↑