search
Active Boosts

42439 sc insight insight report for stakev2 contract

hashtag
#42439 [SC-Insight] Insight Report for StakeV2 contract

Submitted on Mar 23rd 2025 at 22:59:30 UTC by @pxng0lin for Audit Comp | Yeetarrow-up-right

  • Report ID: #42439

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol

  • Impacts:

hashtag
Description

hashtag
[LOW-01] Unused Local Variable

hashtag
Severity: Low

hashtag
Affected Contract

StakeV2.sol

hashtag
Description

In the executeRewardDistribution function (line 195), the local variable _islandTokens is declared and assigned a value from the return of zapper.zapInNative, but it's never used in the function.

hashtag
Impact

While not a security vulnerability, unused variables make the code less clean and potentially indicate incomplete implementation or a misunderstanding of the function's purpose.

hashtag
Recommendation

Remove the unused variable by replacing the declaration with:

If there's a specific reason for capturing the _islandTokens value (for example, for future use), consider adding a comment explaining why it's being captured but not used.

hashtag
[LOW-02] Missing Zero Address Validation in Constructor

hashtag
Severity: Low

hashtag
Affected Contract

StakeV2.sol

hashtag
Description

The constructor accepts _stakingToken, _zapper, and _wbera addresses but doesn't validate that these aren't the zero address:

hashtag
Impact

Setting any of these critical components to the zero address would render the contract entirely unusable and necessitate redeployment.

hashtag
Recommendation

Add zero address validation in the constructor:

hashtag
Gas Optimisation

hashtag
[GAS-01] Multiple Approval Patterns in Claim Functions

hashtag
Severity: Gas Optimisation

hashtag
Affected Contract

StakeV2.sol

hashtag
Description

In each claim function (claimRewardsInNative, claimRewardsInToken0, etc.), there's a repetitive pattern of approving tokens to the zapper:

hashtag
Impact

Duplicated code increases contract size and deployment costs. It also makes maintenance more difficult as changes must be implemented in multiple places.

hashtag
Recommendation

Move the approval logic to the _verifyAndPrepareClaim function to eliminate code duplication and reduce gas costs associated with deployment. Update the function to handle the approval:

hashtag
[GAS-02] Duplicated Validation Logic

hashtag
Severity: Gas Optimisation

hashtag
Affected Contract

StakeV2.sol

hashtag
Description

All claim functions (claimRewardsInNative, claimRewardsInToken0, etc.) perform the same setup and validation, resulting in duplicated code.

hashtag
Impact

This results in increased contract size and gas costs for deployment. Additionally, it creates more complex maintenance requirements as changes must be made in multiple places.

hashtag
Recommendation

Extract the common logic into a separate internal function that handles the setup for all claim operations:

hashtag
Proof of Concept

hashtag
Proof of Concept

Please see the main body of the report

Previous#42407 [SC-Low] Updating MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR impacts unclaimed rewards of past epochsNext#42443 [SC-Critical] Vested `$YEET` are susceptible of being impossible to unstake

Was this helpful?