# 56367 sc insight staker gas optimization public to external visibility **Submitted on Oct 15th 2025 at 06:25:52 UTC by @caslo for** [**Attackathon | VeChain Hayabusa Upgrade**](https://immunefi.com/audit-competition/vechain-hayabusa-upgrade-attackathon) * **Report ID:** #56367 * **Report Type:** Smart Contract * **Report severity:** Insight * **Target:** * **Impacts:** Gas inefficiency (low severity) {% hint style="info" %} Classification: Gas Optimization / Low Severity - Informational {% endhint %} ## Brief / Intro The `totalStake()` and `queuedStake()` view functions in the Staker contract are declared with `public` visibility but are never called internally within the contract. Using `public` instead of `external` for these functions results in unnecessary gas costs for users querying stake information. These functions could be declared as `external` to reduce gas consumption by 41–70 gas per call. ## Vulnerability Details In Solidity, `public` functions can be called both internally and externally, while `external` functions can only be called externally. Marking a function `public` causes the compiler to generate extra code to handle internal calls and copy parameters to memory, which can increase gas usage when only external calls are needed. Current implementation in `staker.sol`: ```solidity // Line 33-35 function totalStake() public view returns (uint256 totalVET, uint256 totalWeight) { return StakerNative(address(this)).native_totalStake(); } // Line 40-42 function queuedStake() public view returns (uint256 queuedVET) { return StakerNative(address(this)).native_queuedStake(); } ``` Analysis of the entire contract (396 lines) confirms: * Neither `totalStake()` nor `queuedStake()` are called internally within the contract * Both functions only delegate to native calls and serve as external interfaces * No other functions in the contract reference these functions Gas impact verified through testing (Foundry): ``` totalStake(): PUBLIC: 5913 gas EXTERNAL: 1524 gas Savings: 4389 gas (74% reduction) queuedStake(): PUBLIC: 1414 gas EXTERNAL: 1373 gas Savings: 41 gas (2.9% reduction) ``` ## Impact Details * Type: Gas Inefficiency (Low Severity) * User Impact: * Every external call to `totalStake()` wastes \~70 gas unnecessarily * Every external call to `queuedStake()` wastes \~41 gas unnecessarily * These are query functions likely called frequently by validators, delegators, and monitoring systems * Financial Impact: * No funds are at risk * No security breach is possible * Impact is limited to slightly higher transaction costs for users * Cumulative Cost: * If called thousands of times per day, cumulative wasted gas could be meaningful over time, but not critical ## Recommended Fix Change visibility from `public` to `external`: ```diff - function totalStake() public view returns (uint256 totalVET, uint256 totalWeight) { + function totalStake() external view returns (uint256 totalVET, uint256 totalWeight) { return StakerNative(address(this)).native_totalStake(); } - function queuedStake() public view returns (uint256 queuedVET) { + function queuedStake() external view returns (uint256 queuedVET) { return StakerNative(address(this)).native_queuedStake(); } ``` Benefits: * Reduced gas costs for all callers * No breaking changes (ABI remains compatible) * Follows Solidity best practices * Signals clear intent that functions are external-only ## Test Verification All tests can be run with: ```bash forge test --match-path test/StakerViewVisibility.t.sol -vv ```
Test Output ``` ======================================== Gas Comparison: PUBLIC vs EXTERNAL ======================================== totalStake(): PUBLIC: 5913 gas EXTERNAL: 1524 gas Savings: 4389 gas (74%) queuedStake(): PUBLIC: 1414 gas EXTERNAL: 1373 gas Savings: 41 gas (2%) ======================================== Suite result: ok. 7 passed; 0 failed; 0 skipped ```
## References * Test Implementation: `test/StakerViewVisibility.t.sol` * Comparison Contract: `src/StakerVisibilityCompare.sol` * Detailed Report: `ViewVisibilityOptimizationReport.md` * Quick Guide: `QUICK_START_GUIDE.md` * Solidity Documentation on Function Visibility: * Original Contract: `staker.sol` (lines 33 and 40) ## Proof of Concept Link to PoC: *** Note: Most bug bounty programs categorize this as "Gas Optimization" rather than a security vulnerability. Check the program's scope to see if gas optimizations are eligible for rewards. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/vechain-hayabusa-upgrade-or-attackathon/56367-sc-insight-staker-gas-optimization-public-to-external-visibility.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.