report.md

THIS CHECKLIST IS NOT COMPLETE. Use --show-ignored-findings to show all the results. Summary

• divide-before-multiply (1 results) (Medium)
• events-access (2 results) (Low)
• events-maths (4 results) (Low)
• calls-loop (1 results) (Low)
• reentrancy-events (2 results) (Low)
• timestamp (4 results) (Low)
• costly-loop (3 results) (Informational)
• low-level-calls (1 results) (Informational)
• naming-convention (1 results) (Informational)
• redundant-statements (4 results) (Informational)

divide-before-multiply

Impact: Medium Confidence: Medium

• ID-0 LDYStaking.earned(address,uint256) performs a multiplication on the result of a division: - weightedAmount = (userInfo.stakedAmount * multiplier) / MULTIPLIER_BASIS - rewardsSinceLastUpdate = ((weightedAmount * (rewardPerToken() - userInfo.rewardPerTokenPaid)) / 1e18)

contracts/src/LDYStaking.sol#L409-L416

events-access

Impact: Low Confidence: Medium

• ID-1 LToken.setWithdrawer(address) should emit an event for: - withdrawer = withdrawer_

contracts/src/LToken.sol#L300-L306

• ID-2 LToken.setFund(address) should emit an event for: - fund = fund_

contracts/src/LToken.sol#L312-L318

events-maths

Impact: Low Confidence: Medium

• ID-3 LToken.setRetentionRate(uint32) should emit an event for: - retentionRateUD7x3 = retentionRateUD7x3_

contracts/src/LToken.sol#L283-L286

• ID-4 LDYStaking.setStakeAmountForPerks(uint256) should emit an event for: - stakeAmountForPerks = stakeAmountForPerks_

contracts/src/LDYStaking.sol#L304-L306

• ID-5 LToken.setFeesRate(uint32) should emit an event for: - feesRateUD7x3 = feesRateUD7x3_

contracts/src/LToken.sol#L272-L275

• ID-6 LDYStaking.setStakeDurationForPerks(uint256) should emit an event for: - stakeDurationForPerks = stakeDurationForPerks_

contracts/src/LDYStaking.sol#L295-L297

calls-loop

Impact: Low Confidence: Medium

• ID-7 LToken.getWithdrawnAmountAndFees(address,uint256) has external calls inside a loop: ldyStaking.tierOf(account) >= 2

contracts/src/LToken.sol#L603-L621

reentrancy-events

Impact: Low Confidence: Medium

• ID-8 Reentrancy in LDYStaking.notifyRewardAmount(uint256): External calls: - stakeRewardToken.safeTransferFrom(_msgSender(),address(this),amount) Event emitted after the call(s): - NotifiedRewardAmount(amount,rewardRatePerSec)

contracts/src/LDYStaking.sol#L346-L374

• ID-9 Reentrancy in LToken.processQueuedRequests(): External calls: - underlying().safeTransfer(request.account,withdrawnAmount) Event emitted after the call(s): - ActivityEvent(int256(nextRequestId),_msgSender(),Action.Withdraw,request.amount,request.amount,Status.Moved,int256(withdrawalQueue.length)) - ActivityEvent(int256(nextRequestId),request.account,Action.Withdraw,request.amount,withdrawnAmount,Status.Success,NO_ID)

contracts/src/LToken.sol#L740-L851

timestamp

Impact: Low Confidence: Medium

• ID-10 LDYStaking.unstake(uint256,uint256) uses timestamp for comparisons Dangerous comparisons: - require(bool,string)(block.timestamp >= userStakingInfo[_msgSender()][stakeIndex].unStakeAt,Cannot unstake during staking period)

contracts/src/LDYStaking.sol#L218-L263

• ID-11 LDYStaking.notifyRewardAmount(uint256) uses timestamp for comparisons Dangerous comparisons: - block.timestamp >= finishAt - require(bool,string)(rewardRatePerSec > 0,reward rate = 0) - require(bool,string)(rewardRatePerSec <= (stakeRewardToken.balanceOf(address(this)) + amount - totalStaked) / rewardsDuration,reward amount > balance)

contracts/src/LDYStaking.sol#L346-L374

• ID-12 LDYStaking.setRewardsDuration(uint256) uses timestamp for comparisons Dangerous comparisons: - require(bool,string)(finishAt < block.timestamp,reward duration is not finished)

contracts/src/LDYStaking.sol#L285-L288

• ID-13 LDYStaking._min(uint256,uint256) uses timestamp for comparisons Dangerous comparisons: - x <= y

contracts/src/LDYStaking.sol#L513-L515

costly-loop

Impact: Informational Confidence: Medium

• ID-14 LToken.processQueuedRequests() has costly operations inside a loop: - delete withdrawalQueue[nextRequestId]

contracts/src/LToken.sol#L740-L851

• ID-15 LToken.processQueuedRequests() has costly operations inside a loop: - delete withdrawalQueue[nextRequestId]

contracts/src/LToken.sol#L740-L851

• ID-16 LToken.processQueuedRequests() has costly operations inside a loop: - delete withdrawalQueue[nextRequestId]

contracts/src/LToken.sol#L740-L851

low-level-calls

Impact: Informational Confidence: High

• ID-17 Low level call in LToken.requestWithdrawal(uint256): - (sent) = withdrawer.call{value: msg.value}()

contracts/src/LToken.sol#L679-L733

naming-convention

Impact: Informational Confidence: High

• ID-18 Constant LToken.MAX_FEES_RATE_UD7x3 is not in UPPER_CASE_WITH_UNDERSCORES

contracts/src/LToken.sol#L89

redundant-statements

Impact: Informational Confidence: High

• ID-19 Redundant expression "amount" inLToken

contracts/src/LToken.sol#L553

• ID-20 Redundant expression "account" inLToken

contracts/src/LToken.sol#L563

• ID-21 Redundant expression "account" inLToken

contracts/src/LToken.sol#L552

• ID-22 Redundant expression "amount" inLToken

contracts/src/LToken.sol#L564