Ample Protocol · Smart Contract Security AssessmentAmple Protocol Client Hub

Ample Protocol Staking Smart Contract

Zealynx audited the Ample Protocol staking contract, the on-chain reward and lock-period system at the centre of an IP-tokenization protocol with NFT-boosted yield. The 7-day review identified 21 issues including 1 High (lack of reward token segregation creating fractional-reserve risk under high withdrawals) and 4 Mediums covering tier synchronisation, NFT boost rental exploitation, missing 10 percent reward cap, and absent pause controls. All non-informational findings were fixed and verified.

BaseSoliditySmart Contract Code Review2025-05-19Zealynx methodology
Total findings
21
10 fixed · 11 acknowledged
Critical
00
High
01
Medium
04
Low + Info
16
02

Scope

1 file · 125 SLOC
Initial commit
45f12c5d992d
Platform
Base · Solidity
Methodology
Zealynx audit methodology
File
StakingContract.sol
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
highF-2025-0001Lack of reward token segregation leads to unreliable reward accounting and potential underpaymentFixedmediumF-2025-0002Tier updates not reflected in lockPeriods array leads to stale staking period informationFixedmediumF-2025-0003Lack of NFT ownership check on closePosition enables boost market exploitationFixedmediumF-2025-0004Missing max reward allocation check enables exceeding 10 percent token supply limitFixedmediumF-2025-0005Missing pause / unpause functions prevents emergency protocol shutdownFixedlowF-2025-0006Manual reward funding mechanism poses operational riskFixedlowF-2025-0007Non-upgradeable contract may require complex migration for future changesFixedlowF-2025-0008stakeTokens accepts any lock period with non-zero tier valueFixedlowF-2025-0009Custom ownership implementation lacks secure ownership transfer mechanismFixedlowF-2025-0010Missing initializer protection enables potential initialization hijackingFixedinfoF-2025-0011Redundant allowance checkAckinfoF-2025-0012Consider adding a totalStaked per address getterAckinfoF-2025-0013Missing position existence check leads to misleading errorsAckinfoF-2025-0014Inconsistent terminology between rewards and interestAckinfoF-2025-0015Redundant initialization of uint to zeroAckinfoF-2025-0016Unused IStakingContract interfaceAckinfoF-2025-0017Redundant positionId in Position structAckinfoF-2025-0018Consider using named mappings for improved code readabilityAckinfoF-2025-0019Consider updating to latest Solidity versionAckinfoF-2025-0020Use custom errors instead of string revert messagesAckinfoF-2025-0021Inconsistent use of ReentrancyGuardAck
04

Key Findings

  • Lack of reward token segregation creates fractional reserve risk. StakingContract does not separate user-staked tokens from reward tokens in its balance, so under high withdrawal pressure the contract can pay out rewards from staked principal and leave later users unable to withdraw.
  • Tier updates not reflected in lockPeriods array. updateTier mutates tiers but never updates lockPeriods, leaving getLockPeriods() returning stale data and integrators with mismatched lock-period information.
  • NFT ownership only checked at stake time enables boost-rental markets. Boosted rewards are locked into the position struct at stake time without re-validation at withdrawal, allowing a single NFT to be rented across many positions to harvest boosts.
  • Missing 10 percent max reward cap. fundRewards accepts unlimited inflows, breaking the protocol's documented tokenomics where reward funding is capped at 10 percent of total supply.
  • No pause / unpause functions despite inheriting PausableUpgradeable. The contract initialises pausable but never exposes pause controls, so the team cannot halt the contract during a discovered exploit.
05

Team & approval

Auditor
Sergio
@Seecoalba
Lead Auditor
Carlos (Bloqarl)
@TheBlockChainer
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (33p)
ZEALYNX SECURITY · published 2025-05-19
21 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx