#42439 [SC-Insight] report for stakev2 contract
Was this helpful?
Was this helpful?
Submitted on Mar 23rd 2025 at 22:59:30 UTC by @pxng0lin for
Report ID: #42439
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
StakeV2.sol
In the executeRewardDistribution
function (line 195), the local variable _islandTokens
is declared and assigned a value from the return of zapper.zapInNative
, but it's never used in the function.
While not a security vulnerability, unused variables make the code less clean and potentially indicate incomplete implementation or a misunderstanding of the function's purpose.
Remove the unused variable by replacing the declaration with:
If there's a specific reason for capturing the _islandTokens
value (for example, for future use), consider adding a comment explaining why it's being captured but not used.
StakeV2.sol
The constructor accepts _stakingToken
, _zapper
, and _wbera
addresses but doesn't validate that these aren't the zero address:
Setting any of these critical components to the zero address would render the contract entirely unusable and necessitate redeployment.
Add zero address validation in the constructor:
StakeV2.sol
In each claim function (claimRewardsInNative
, claimRewardsInToken0
, etc.), there's a repetitive pattern of approving tokens to the zapper:
Duplicated code increases contract size and deployment costs. It also makes maintenance more difficult as changes must be implemented in multiple places.
Move the approval logic to the _verifyAndPrepareClaim
function to eliminate code duplication and reduce gas costs associated with deployment. Update the function to handle the approval:
StakeV2.sol
All claim functions (claimRewardsInNative
, claimRewardsInToken0
, etc.) perform the same setup and validation, resulting in duplicated code.
This results in increased contract size and gas costs for deployment. Additionally, it creates more complex maintenance requirements as changes must be made in multiple places.
Extract the common logic into a separate internal function that handles the setup for all claim operations:
Please see the main body of the report