Cold Staking security audit, conducted by the Callisto Network Security Department in October 2018.
Cold Staking Specificities
Audit Request
Cold Staking smart-contract is the core smart-contract of Callisto Network that is intended to allow users to stake their CLO by locking it for a certain period of time.
The contract must allow users to:
- Deposit CLO into the contract after the contract launch date (i.e. “stake” it).
- Deposited CLO must be locked for the specified amount of time.
- Withdraw CLO after the specified amount of time.
- Withdraw staking rewards.
- Throw out a staker if he is inactive for longer than 2 years.
Implementation pattern:
- Security audit of the Cold Staking contract.
- Bug bounty.
- Contract will be compiled and deployed at Callisto Mainnet before the hardfork date.
- At 11th November, the hardfork №1 will be enabled. Contract will start to receive 20% of block rewards. Staking will not be enabled instantly.
- At 12th November 0:0 UTC the staking will become available.
Cold Staking values:
See EthereumCommonwealth/Roadmap#51 (comment).
Source Code:
https://github.com/EthereumCommonwealth/Cold-staking/tree/863846e510299b8cb07bab38c0b60d1bd78e9947
Disclosure policy:
Publish everything.
Platform:
CLO.
Complexity:
Low.
Cold Staking Smart Contract Security Audit Report
Are Your Funds Safe?
1. In scope
- ColdStaking.sol
2. Findings
In total, 1 issues were reported including:
- 1 minor observation.
No critical security issues were found.
2.1. Timestamp may have not right meaning. A round can go longer than 27 days.
Severity: minor observation.
Code snippet:
Description:
The round can go longer than 27 days in case of an increase block generation time to over 25 seconds for a long time.
In case when blocktime is more than 25 seconds the Timestamp will have not “timestamp of the last interaction” value (look at here). This will lead to a distortion of the flow of staking time.
Consider the problem by example:
| Block id | Block time, sec | _seconds variable |
now | Timestamp variable |
now - Timestamp = |
Recommendation |
|---|---|---|---|---|---|---|
| start value | 1539260000 | Mike make a stake. | ||||
| 1200000 | 35 | 25 | 1539260035 | 1539260025 | 10 | |
| 1200001 | 35 | 25 | 1539260070 | 1539260050 | 20 | |
| 1200002 | 35 | 25 | 1539260105 | 1539260075 | 30 | |
| … | … | … | … | … | … | An hour has passed |
| 1200103 | 35 | 25 | 1539263640 | 1539262600 | 1040 | Passed 1 hour of real time, but the contract “thinks” that 43 minutes have passed. |
I don’t know whether a continuous change in the block generation time by a value greater than 25 seconds is possible. But if it is possible then the time inside the contract will differ from the real time. What will affect the reward.
3. Conclusion
No critical vulnerabilities were detected.
4. Revealing audit reports
- https://gist.github.com/yuriy77k/0074bd128bb29b601702e080c95b1fa4
- https://gist.github.com/yuriy77k/28b349a4f4fbf71639d6d35b6d4357a7
- https://gist.github.com/yuriy77k/1c97d787d60faa6c2e82f1b30529bb51
Appendix
Smart Contract Audits by Callisto Network.
Miscellaneous
Our Most Popular Audit Reports.
Trust the Blockchain, Audit the Smart Contracts.
Follow Callisto’s Security Department on Twitter to get our latest news and updates!