Vitalik Buterin on Farcaster

Content pfp

https://warpcast.com/~/channel/vyper

0 reply

0 recast

0 reaction

Vitalik Buterin pfp

Vitalik Buterin

The contract here is a sublinear staking contract: if you are in the whitelist (specified as an ERC1155 collection), then you can stake N coins, and get a return of N ** 0.75 coins per slot, for as long as the contract has coins to pay for it. There is a fundedUntil mechanism that ensures that if the contract runs out of money, every staker gets rewarded for every slot up to the fundedUntil timestamp, and the mechanism doesn't turn into a fractional reserve. https://github.com/ethereum/research/blob/master/sublinear_staking/code.vy Bounty of total 2 ETH for identifying any bugs / vulnerabilities in the contract and proposing specific fixes, if multiple issues are found the bounty will be split based on severity. Amount: 2 ETH @bountybot

24 replies

98 recasts

465 reactions

Bounty Bot pfp

Does this bounty require an application process? i.e. interested users should confirm with you first before working on it This helps avoid potential duplicate work on some bounties if not specified

0 reply

2 recasts

13 reactions

Bounty Bot pfp

Confirmed! On your bounty page, you can pay users and view their bounty completion history Frame buttons - Admin: manage bounty status (in progress, complete), amount, deadline, add boost to get more attention on your bounty 🤖 commands - @bountybot cancel - @bountybot in progress - @bountybot complete (optional: tag winners) - @bountybot shoutout (optional: tag winner and write a positive review)

1 reply

0 recast

2 reactions

borodutch pfp

@farcasteradmin.eth

i wonder if line 88 should go before line 83 🤔 still exploring and trying to make sense of liabilities, just a hunch

1 reply

0 recast

3 reactions

androolloyd.hl pfp

something worth noting the isEligible check only happens on staking, so a user can acquire inline a token to flag true without having to actually hold the token for the duration of the staking. You'd likely want to do something where the eligible tokenID is locked into the staking contract for the duration.

1 reply

0 recast

0 reaction

✳️ dcposch pfp

not a vulnerability, but you probably want a configurable multiplier on getReturnPerSlot, otherwise results depend on token decimals. for example, stake 1 USDC = 1e6 ^ (3/4) = $0.03 reward per slot stake 1 DAI = 1e18 ^ (3/4) = $0.00003 reward per slot

0 reply

0 recast

21 reactions

Francesco Piccoli pfp

Francesco Piccoli

Not a critical vulnerability but considered a minor issue that can lead to inefficiencies and potential edge case behaviors: - The `stake` function does not verify that the `amount` to stake is greater than zero. Allowing users to stake zero tokens can lead to unnecessary state changes and potential edge case behaviors. - Recommendation: Add a require statement in the `stake` function to ensure that the `amount` is greater than zero before proceeding with the staking logic.

1 reply

0 recast

4 reactions

Varun Srinivasan pfp

Varun Srinivasan

0 reply

0 recast

4 reactions

horsefacts pfp

@horsefacts.eth

0 reply

0 recast

2 reactions

Catch0x22 pfp

@askgina.eth can you explain what this contract is for in simple terms

1 reply

0 recast

1 reaction

Francesco Piccoli pfp

Francesco Piccoli

Nice, we’ll run some scans with @almanax

0 reply

0 recast

1 reaction

Dennison Bertram pfp

Dennison Bertram

This is pretty incredible to see! Have you seen our Governance Staking Contracts? To use staking to drive participation in governance? https://github.com/withtally/govstaking

0 reply

0 recast

0 reaction

🦒 pfp

0 reply

0 recast

0 reaction

borodutch pfp

@farcasteradmin.eth

here's one issue: technically if someone stakes enough, they can bring `_fundedUntil` down so much that no one will get any rewards, but the entity that stakes enough token will get all the rewards moreover, the `isEligible` check just checks the balance of the token, which means if the token supports flash loans, one can flash loan large amount of token to stake, `stake`, bring down `_fundedUntil` to (maybe?) the same block, `unstake`, sell the rewarded token, cover cost of the flash loan and get profit can probably be mitigated by having a time-lock mechanism for staking (this should eliminate the threat of flash loans); maybe also limiting amount of rewards per address (but then one can spawn many addresses); or maybe limit the rewards by the proportion of total supply of the token staked? not sure

1 reply

1 recast

14 reactions

Firas Keskes pfp

My concern about Potential Loophole: Users can exploit this by temporarily acquiring the ERC-1155 token to pass the initial eligibility check, then selling it while still benefiting from staking rewards. Impact on Token Value: This behavior might devalue the ERC-1155 token since users don't need to hold it long-term to benefit from staking. Fairness Concerns: Users who maintain ownership of the ERC-1155 token might feel disadvantaged compared to those who sell it immediately after staking. Is there any solution?

0 reply

1 recast

0 reaction

vincemanguy pfp

This is the way🤝

0 reply

0 recast

0 reaction

Cláudio Silva pfp

@claudioengdist

I will work to put a version of this bounty live on Bug Buster ( bugbuster.app ) asap. The dApp is live on OP mainnet since August with a bounty for the solidify compiler.

0 reply

0 recast

0 reaction

zkfriendly pfp

@zkfriendly.eth

a1 stakes 1 eth at time 0. fast forward 1000 blocks. a2 stakes 0.1 eth. fundedUntil breaks

0 reply

0 recast

0 reaction

zkleo.eth pfp

I don't get this.. I mean, what is the purpose of this sublinear staking contract? A social experiment or smthing?

0 reply

0 recast

0 reaction

sarvad.base.eth pfp

sarvad.base.eth

@sarvadshetty.eth

ive never relly looked into to vyper but in the _unstake function shouldnt there be a require like check if the total amount to be sent back to the user is available in the contract?

0 reply

0 recast

0 reaction