Cold Staking security audit, conducted by the Callisto Network Security Department in October 2018.


 

Cold Staking Specificities

 

 

 

Audit Request

Cold Staking smart-contract is the core smart-contract of Callisto Network that is intended to allow users to stake their CLO by locking it for a certain period of time.

The contract must allow users to:

  • Deposit CLO into the contract after the contract launch date (i.e. “stake” it).
  • Deposited CLO must be locked for the specified amount of time.
  • Withdraw CLO after the specified amount of time.
  • Withdraw staking rewards.
  • Throw out a staker if he is inactive for longer than 2 years.

Implementation pattern:

  1. Security audit of the Cold Staking contract.
  2. Bug bounty.
  3. Contract will be compiled and deployed at Callisto Mainnet before the hardfork date.
  4. At 11th November, the hardfork №1 will be enabled. Contract will start to receive 20% of block rewards. Staking will not be enabled instantly.
  5. At 12th November 0:0 UTC the staking will become available.

Cold Staking values:

See EthereumCommonwealth/Roadmap#51 (comment).

Source Code:

https://github.com/EthereumCommonwealth/Cold-staking/tree/863846e510299b8cb07bab38c0b60d1bd78e9947

Disclosure policy:

Publish everything.

Platform:

CLO.

Complexity:

Low.

 


Cold Staking Smart Contract Security Audit Report

Are Your Funds Safe?


 

1. In scope

  • ColdStaking.sol

2. Findings

In total, 1 issues were reported including:

  • 1 minor observation.

No critical security issues were found.

2.1. Timestamp may have not right meaning. A round can go longer than 27 days.

Severity: minor observation.

Code snippet:

Description:

The round can go longer than 27 days in case of an increase block generation time to over 25 seconds for a long time.

In case when blocktime is more than 25 seconds the Timestamp will have not “timestamp of the last interaction” value (look at here). This will lead to a distortion of the flow of staking time.

 

Consider the problem by example:

Block idBlock time, sec_seconds variablenowTimestamp variablenow - Timestamp =Recommendation
start value   1539260000 Mike make a stake.
120000035251539260035153926002510 
120000135251539260070153926005020 
120000235251539260105153926007530 
An hour has passed
12001033525153926364015392626001040Passed 1 hour of real time, but the contract “thinks” that 43 minutes have passed.

 

I don’t know whether a continuous change in the block generation time by a value greater than 25 seconds is possible. But if it is possible then the time inside the contract will differ from the real time. What will affect the reward.

3. Conclusion

No critical vulnerabilities were detected.

4. Revealing audit reports

Appendix

Smart Contract Audits by Callisto Network.

Miscellaneous

Why Audit Smart Contracts?

Our Most Popular Audit Reports.


Trust the Blockchain, Audit the Smart Contracts.


Follow Callisto’s Security Department on Twitter to get our latest news and updates!