Content pfp
Content
@
0 reply
0 recast
0 reaction

Vitalik Buterin pfp
Vitalik Buterin
@vitalik.eth
The contract here is a sublinear staking contract: if you are in the whitelist (specified as an ERC1155 collection), then you can stake N coins, and get a return of N ** 0.75 coins per slot, for as long as the contract has coins to pay for it. There is a fundedUntil mechanism that ensures that if the contract runs out of money, every staker gets rewarded for every slot up to the fundedUntil timestamp, and the mechanism doesn't turn into a fractional reserve. https://github.com/ethereum/research/blob/master/sublinear_staking/code.vy Bounty of total 2 ETH for identifying any bugs / vulnerabilities in the contract and proposing specific fixes, if multiple issues are found the bounty will be split based on severity. Amount: 2 ETH @bountybot
23 replies
174 recasts
762 reactions

borodutch pfp
borodutch
@warpcastadmin.eth
here's one issue: technically if someone stakes enough, they can bring `_fundedUntil` down so much that no one will get any rewards, but the entity that stakes enough token will get all the rewards moreover, the `isEligible` check just checks the balance of the token, which means if the token supports flash loans, one can flash loan large amount of token to stake, `stake`, bring down `_fundedUntil` to (maybe?) the same block, `unstake`, sell the rewarded token, cover cost of the flash loan and get profit can probably be mitigated by having a time-lock mechanism for staking (this should eliminate the threat of flash loans); maybe also limiting amount of rewards per address (but then one can spawn many addresses); or maybe limit the rewards by the proportion of total supply of the token staked? not sure
1 reply
1 recast
26 reactions

borodutch pfp
borodutch
@warpcastadmin.eth
damn, sorry, `isEligible` doesn't matter here actually, it's a whitelist but still someone can get a flash loan for the staked token, `stake`, bring down the `_fundedUntil`, `unstake`, sell the extra tokens, pay for flash loan, get profit
1 reply
0 recast
1 reaction

Vitalik Buterin pfp
Vitalik Buterin
@vitalik.eth
But getting returns requires you to stake for a nonzero duration. So any staking-and-unstaking inside of a flash loan should just give you back exactly what you put in and no more.
1 reply
0 recast
2 reactions