Cold Staking security audit, conducted by the Callisto Network Security Department in October 2018.


Cold Staking Specificities




Audit Request

Cold Staking smart-contract is the core smart-contract of Callisto Network that is intended to allow users to stake their CLO by locking it for a certain period of time.

The contract must allow users to:

  • Deposit CLO into the contract after the contract launch date (i.e. “stake” it).
  • Deposited CLO must be locked for the specified amount of time.
  • Withdraw CLO after the specified amount of time.
  • Withdraw staking rewards.
  • Throw out a staker if he is inactive for longer than 2 years.

Implementation pattern:

  1. Security audit of the Cold Staking contract.
  2. Bug bounty.
  3. Contract will be compiled and deployed at Callisto Mainnet before the hardfork date.
  4. At 11th November, the hardfork №1 will be enabled. Contract will start to receive 20% of block rewards. Staking will not be enabled instantly.
  5. At 12th November 0:0 UTC the staking will become available.

Cold Staking values:

See EthereumCommonwealth/Roadmap#51 (comment).

Source Code:

Disclosure policy:

Publish everything.






Cold Staking Smart Contract Security Audit Report

Are Your Funds Safe?


1. In scope

  • ColdStaking.sol

2. Findings

In total, 1 issues were reported including:

  • 1 minor observation.

No critical security issues were found.

2.1. Timestamp may have not right meaning. A round can go longer than 27 days.

Severity: minor observation.

Code snippet:


The round can go longer than 27 days in case of an increase block generation time to over 25 seconds for a long time.

In case when blocktime is more than 25 seconds the Timestamp will have not “timestamp of the last interaction” value (look at here). This will lead to a distortion of the flow of staking time.


Consider the problem by example:

Block id Block time, sec _seconds variable now Timestamp variable now - Timestamp = Recommendation
start value       1539260000   Mike make a stake.
1200000 35 25 1539260035 1539260025 10  
1200001 35 25 1539260070 1539260050 20  
1200002 35 25 1539260105 1539260075 30  
An hour has passed
1200103 35 25 1539263640 1539262600 1040 Passed 1 hour of real time, but the contract “thinks” that 43 minutes have passed.


I don’t know whether a continuous change in the block generation time by a value greater than 25 seconds is possible. But if it is possible then the time inside the contract will differ from the real time. What will affect the reward.

3. Conclusion

No critical vulnerabilities were detected.

4. Revealing audit reports


Smart Contract Audits by Callisto Network.


Why Audit Smart Contracts?

Our Most Popular Audit Reports.

Trust the Blockchain, Audit the Smart Contracts.

Follow Callisto’s Security Department on Twitter to get our latest news and updates!