✅RACE #11 - Staking

RACE #11 of the Secureum Bootcamp Epoch∞ • Ventral DigitalVentral Digital

RACE #11

RACE #11 result

Note: All 8 questions in this RACE are based on the below contract. This is the same contract you will see for all the 8 questions in this RACE. The question is below the shown contract.

// SPDX-License-Identifier: MIT
pragma solidity 0.8.17;

import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";


contract Staking {

   using SafeERC20 for IERC20;

   bool internal _paused;
   address internal _operator;
   address internal _governance;
   address internal _token;
   uint256 internal _minDepositLockTime;

   mapping(address => uint256) _userBalances;
   mapping(address => uint256) _userLastDeposit;

   event Deposit(
       address indexed user,
       uint256 amount
   );

   event Withdraw(
       address indexed user,
       uint256 amount
   );

   constructor(address operator, address governance, address token, uint256 minDepositLockTime) {
       _operator = operator;
       _governance = governance;
       _token = token;
       _minDepositLockTime = minDepositLockTime;
   }

   function depositFor(address user, uint256 amount) external {
       _userBalances[user] += amount;
       _userLastDeposit[user] = block.timestamp;

       IERC20(_token).safeTransferFrom(user, address(this), amount);

       emit Deposit(msg.sender, amount);
   }

   function withdraw(uint256 amount) external {
       require(!_paused, 'paused');
       require(block.timestamp >= _userLastDeposit[msg.sender] + _minDepositLockTime, 'too early');

       IERC20(_token).safeTransferFrom(address(this), msg.sender, amount);

       if (_userBalances[msg.sender] >= amount) {
           _userBalances[msg.sender] -= amount;
       } else {
           _userBalances[msg.sender] = 0;
       }

       emit Withdraw(msg.sender, amount);
   }

   function pause() external {
       // operator or gov
       require(msg.sender == _operator && msg.sender == _governance, 'unauthorized');

       _paused = true;
   }

   function unpause() external {
       // only gov
       require(msg.sender == _governance, 'unauthorized');

       _paused = false;
   }

   function changeGovernance(address governance) external {
       _governance = governance;
   }
}

Question 1 ✅

Which statements are true in withdraw()?

• A. Can be successfully executed when contract is paused -> require(!_paused, 'paused')

• B. User can withdraw only after _minDepositLockTime elapsed since last withdrawal -> "since last deposit", not "withdrawal"

• C. Follows checks-effects-interaction pattern best practice

• D. User can withdraw more than deposited -> if amount is huge, that amount of tokens still will be sent via safeTransferFrom() and _userBalances[msg.sender] = 0 is set after the transfer

Question 2 ✅

Which mitigations are applicable to withdraw()?

• A. Transferred amount should be minimum of amount and _userBalances[msg.sender]

• B. Move if/else block before safeTransferFrom -> But user can still withdraw more than _userBalances[msg.sender]

• C. Require amount to be <= user’s balance deposited earlier

• D. Remove if/else block and add _userBalances[msg.sender] -= amount before safeTransferFrom -> If amount is larger than user's balance then tx will revert

Question 3 ✅

The security concern(s) in pause() is/are:

• A. Does not emit an event

• B. Access control is not strict enough

• C. Will always revert

• D. None of the above

Question 4 ✅

Which statement(s) is/are true for unpause()?

• A. Will unpause deposits and withdrawals

• B. Will unpause withdrawals only

• C. Anyone can successfully call the function

• D. None of the above

Question 5 ✅

Which statement(s) is/are true in depositFor()?

• A. Can be executed when contract is paused

• B. Allows a user to deposit for another user

• C. Allows a user to fund the deposit for another user

• D. None of the above

Question 6 ✅

The issue(s) in depositFor() is/are:

• A. Cannot be paused for emergency

• B. Exploitable re-entrancy attack

• C. User withdrawals can be delayed indefinitely via DoS attack -> Attacker can call depositFor(user, 0) over and over

• D. None of the above

Question 7 ✅

Which of the following statement(s) is/are true?

• A. Withdraw event is emitted with incorrect amount

• B. Withdraw event is emitted with correct user

• C. Deposit event is always emitted incorrectly -> Not always, because msg.sender could be user

• D. Deposit event is emitted with incorrect user

Question 8 ✅

Potential gas optimization(s) is/are:

• A. Use immutable for all variables assigned in constructor -> _governance should be mutable

• B. Use immutable for _token, _operator and _minDepositLockTime

• C. Use unchecked

• D. None of the above