RACE #11 - Staking

Note: All 8 questions in this RACE are based on the below contract. This is the same contract you will see for all the 8 questions in this RACE. The question is below the shown contract.

// SPDX-License-Identifier: MIT
pragma solidity 0.8.17;

import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";


contract Staking {

   using SafeERC20 for IERC20;

   bool internal _paused;
   address internal _operator;
   address internal _governance;
   address internal _token;
   uint256 internal _minDepositLockTime;

   mapping(address => uint256) _userBalances;
   mapping(address => uint256) _userLastDeposit;

   event Deposit(
       address indexed user,
       uint256 amount
   );

   event Withdraw(
       address indexed user,
       uint256 amount
   );

   constructor(address operator, address governance, address token, uint256 minDepositLockTime) {
       _operator = operator;
       _governance = governance;
       _token = token;
       _minDepositLockTime = minDepositLockTime;
   }

   function depositFor(address user, uint256 amount) external {
       _userBalances[user] += amount;
       _userLastDeposit[user] = block.timestamp;

       IERC20(_token).safeTransferFrom(user, address(this), amount);

       emit Deposit(msg.sender, amount);
   }

   function withdraw(uint256 amount) external {
       require(!_paused, 'paused');
       require(block.timestamp >= _userLastDeposit[msg.sender] + _minDepositLockTime, 'too early');

       IERC20(_token).safeTransferFrom(address(this), msg.sender, amount);

       if (_userBalances[msg.sender] >= amount) {
           _userBalances[msg.sender] -= amount;
       } else {
           _userBalances[msg.sender] = 0;
       }

       emit Withdraw(msg.sender, amount);
   }

   function pause() external {
       // operator or gov
       require(msg.sender == _operator && msg.sender == _governance, 'unauthorized');

       _paused = true;
   }

   function unpause() external {
       // only gov
       require(msg.sender == _governance, 'unauthorized');

       _paused = false;
   }

   function changeGovernance(address governance) external {
       _governance = governance;
   }
}

Which statements are true in withdraw()?

A. Can be successfully executed when contract is paused -> require(!_paused, 'paused')
B. User can withdraw only after _minDepositLockTime elapsed since last withdrawal -> "since last deposit", not "withdrawal"
C. Follows checks-effects-interaction pattern best practice
D. User can withdraw more than deposited -> if amount is huge, that amount of tokens still will be sent via safeTransferFrom() and _userBalances[msg.sender] = 0 is set after the transfer

Which mitigations are applicable to withdraw()?

A. Transferred amount should be minimum of amount and _userBalances[msg.sender]
B. Move if/else block before safeTransferFrom -> But user can still withdraw more than _userBalances[msg.sender]
C. Require amount to be <= user’s balance deposited earlier
D. Remove if/else block and add _userBalances[msg.sender] -= amount before safeTransferFrom -> If amount is larger than user's balance then tx will revert

The security concern(s) in pause() is/are:

A. Does not emit an event
B. Access control is not strict enough
C. Will always revert
D. None of the above

Which statement(s) is/are true for unpause()?

A. Will unpause deposits and withdrawals
B. Will unpause withdrawals only
C. Anyone can successfully call the function
D. None of the above

Which statement(s) is/are true in depositFor()?

A. Can be executed when contract is paused
B. Allows a user to deposit for another user
C. Allows a user to fund the deposit for another user
D. None of the above

The issue(s) in depositFor() is/are:

A. Cannot be paused for emergency
B. Exploitable re-entrancy attack
C. User withdrawals can be delayed indefinitely via DoS attack -> Attacker can call depositFor(user, 0) over and over
D. None of the above

Which of the following statement(s) is/are true?

A. Withdraw event is emitted with incorrect amount
B. Withdraw event is emitted with correct user
C. Deposit event is always emitted incorrectly -> Not always, because msg.sender could be user
D. Deposit event is emitted with incorrect user

Potential gas optimization(s) is/are:

A. Use immutable for all variables assigned in constructor -> _governance should be mutable
B. Use immutable for _token, _operator and _minDepositLockTime
C. Use unchecked
D. None of the above

PreviousRACE #10 - Test Cases NextRACE #12 - ERC20 Permit

Last updated 2 years ago

Was this helpful?

Note: All 8 questions in this RACE are based on the below contract. This is the same contract you will see for all the 8 questions in this RACE. The question is below the shown contract.

// SPDX-License-Identifier: MIT
pragma solidity 0.8.17;

import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";


contract Staking {

   using SafeERC20 for IERC20;

   bool internal _paused;
   address internal _operator;
   address internal _governance;
   address internal _token;
   uint256 internal _minDepositLockTime;

   mapping(address => uint256) _userBalances;
   mapping(address => uint256) _userLastDeposit;

   event Deposit(
       address indexed user,
       uint256 amount
   );

   event Withdraw(
       address indexed user,
       uint256 amount
   );

   constructor(address operator, address governance, address token, uint256 minDepositLockTime) {
       _operator = operator;
       _governance = governance;
       _token = token;
       _minDepositLockTime = minDepositLockTime;
   }

   function depositFor(address user, uint256 amount) external {
       _userBalances[user] += amount;
       _userLastDeposit[user] = block.timestamp;

       IERC20(_token).safeTransferFrom(user, address(this), amount);

       emit Deposit(msg.sender, amount);
   }

   function withdraw(uint256 amount) external {
       require(!_paused, 'paused');
       require(block.timestamp >= _userLastDeposit[msg.sender] + _minDepositLockTime, 'too early');

       IERC20(_token).safeTransferFrom(address(this), msg.sender, amount);

       if (_userBalances[msg.sender] >= amount) {
           _userBalances[msg.sender] -= amount;
       } else {
           _userBalances[msg.sender] = 0;
       }

       emit Withdraw(msg.sender, amount);
   }

   function pause() external {
       // operator or gov
       require(msg.sender == _operator && msg.sender == _governance, 'unauthorized');

       _paused = true;
   }

   function unpause() external {
       // only gov
       require(msg.sender == _governance, 'unauthorized');

       _paused = false;
   }

   function changeGovernance(address governance) external {
       _governance = governance;
   }
}

Question 1

Which statements are true in withdraw()?

A. Can be successfully executed when contract is paused -> require(!_paused, 'paused')
B. User can withdraw only after _minDepositLockTime elapsed since last withdrawal -> "since last deposit", not "withdrawal"
C. Follows checks-effects-interaction pattern best practice
D. User can withdraw more than deposited -> if amount is huge, that amount of tokens still will be sent via safeTransferFrom() and _userBalances[msg.sender] = 0 is set after the transfer

Question 2