Zero Staking Security Smart Contract Audit

Summary

This audit focuses on a set of contracts that support lightweight staking for the Zero ecosystem where users can stake tokens to generate potential rewards. Additionally, there is a separate feature where the owner and operators can create and resolve game matches between players in the platform, facilitating the transfer of funds between the escrow contract and the users. We found ten issues, two of which are high severity. The first issue allows an attacker to gain a disproportionate amount of rewards through a reentrancy vector in the stake and unstaking mechanism (ZS-1). The second issue is due to a lack of proper validation, which can cause a user to lose all his funds accidentally when unstaking through the exit mode (ZS-2). Additionally, we found two medium-severity issues: users can receive fewer rewards due to integer division (ZS-3) and that staked funds can be lost due to a lack of separation between staked and reward funds (ZS-4). We recommend adding additional tests to validate fixes for high and medium issues identified. We also included a few operational risks as low and informational severity issues. Users of the staking feature will greatly benefit from additional clarification from the team to help understand these risks when engaging with the project. Regarding project quality, there is a lack of external-facing and technical documentation, so we have to rely on direct communication with the team to build our understanding. The test quality is decent, with branch coverage of around 79%. We believe the team can benefit from increasing the test coverage as well as having proper documentation to help users understand this new staking and matching features. **Update**: The team has addressed all issues by either fixing or acknowledging them, as well as adding tests to validate the fixes. We appreciate the team's responsiveness and their thoroughness in their responses.

Project

Zero Staking

Ethereum

No active critical issues

Last audited on 2024/06/20

Auditor

142 audits on Trustblock

Multi-Tags

Issues (10)

	Low	Medium	High	Critical	Total
Not fixed	4	-	-	-	4
Fixed	2	2	2	-	6
Total	6	2	2	0	10

Contracts (12)

#	Github Repository	Commit Hash	File	Url
1	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/access/IOwnableOperable.sol	Check on Github
2	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/access/OwnableOperable.sol	Check on Github
3	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/staking/ERC20/StakingERC20.sol	Check on Github
4	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/escrow/Escrow.sol	Check on Github
5	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/staking/IStakingBase.sol	Check on Github
6	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/staking/StakingBase.sol	Check on Github
7	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/staking/ERC721/IStakingERC721.sol	Check on Github
8	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/match/Match.sol	Check on Github
9	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/escrow/IEscrow.sol	Check on Github
10	zer0-os/zModules	5f93318541de502e40d80354f1af21e6e8791f87	contracts/match/IMatch.sol	Check on Github

Zero Staking

Summary

Issues (10)

Compromised Owner or Operators Can Steal All Users' Escrowed Fundsnot_fixed/low

Privileged Roles and Ownershipnot_fixed/low

There May Not Be Sufficient Funds in the Contract to Cover the Reward Claimsnot_fixed/low

User Can Stake a Small Amount Initially to Get an Early Unlock Timestampnot_fixed/low

Contracts (12)