Assessment reportsPublic findings
Back to Zellic site
Assessment reports>TruFin Injective Staker>Informational findings>Erroneous mint-fee message
GeneralOverview
Findings
Medium (1)
Informational (1)Erroneous mint-fee message
Threat ModelWhat are threat models?Injective-staker-contract
Audit ResultsAssessment Results
Category: Coding Mistakes

Erroneous mint-fee message

Informational Severity
Informational Impact
N/A Likelihood

Description

In the internal_stake and internal_unstake functions, the contract adds the mint_treasury_fees message even when there are no rewards.

let validator_total_rewards = deps
    .querier
    .query_delegation(staker_address, validator_addr.clone())?
    .and_then(|d| {
        d.accumulated_rewards
            .iter()
            .find(|coin| coin.denom == INJ)
            .cloned()
    })
    .map(|reward| reward.amount.u128())
    .unwrap_or(0);

CONTRACT_REWARDS.save(deps.storage, &validator_total_rewards.into())?;

// mint fees to the treasury for the liquid rewards on the validator
let treasury_shares_minted = mint_treasury_fees(
    &mut deps,
    &env,
    validator_total_rewards,
    fee,
    staker_info.treasury.clone(),
    share_price_num,
    share_price_denom,
)?;

Impact

If there are no rewards or the fee amount is zero, the contract does not need to add a message to mint the fee.

Recommendations

Only add the mint message for the fee, if the computed fee is nonzero.

Remediation

This issue has been acknowledged by TruFin, and a fix was implemented in commit ef8518f8.

Zellic © 2025Back to top ↑