F-2025-0008·missing-validation
stakeTokens accepts any lock period with non-zero tier value
TL;DR
stakeTokens validates lock period only by checking that the tier value is non-zero, allowing direct contract callers to stake for unintended periods not in the lockPeriods array.
Severity
LOW
Impact
LOW
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
LOW
Exploitability
MEDIUM
02Section · Description
Description
The contract's validation for staking periods only checks if the tier value is greater than zero:
solidity
function stakeTokens(uint numDays, uint amount) external nonReentrant {require(tiers[numDays] > 0, "Invalid lock period");// ... rest of function}
This means:
- Any period that has a non-zero tier value is accepted, even if not in the
lockPeriodsarray. - Users interacting directly with the contract could stake for unintended periods.
- A frontend dropdown could be changed to a numerical field.
03Section · Recommendation
Recommendation
Use a mapping for verification of allowed periods:
solidity
mapping(uint => bool) public isAllowedPeriod;constructor(address _stakingToken, address _nftContract, uint _rewardBoostMultiplier) {// Initialise allowed periodsisAllowedPeriod[30] = true;isAllowedPeriod[60] = true;isAllowedPeriod[90] = true;// Set tiers as before}function stakeTokens(uint numDays, uint amount) external nonReentrant {require(isAllowedPeriod[numDays], "Lock period not in allowed list");require(tiers[numDays] > 0, "Invalid lock period");// ... rest of function}
04Section · Resolution
Resolution
Ample Protocol: Fixed.
Zealynx: Verified. isAllowedPeriod introduced.
Status
Fixed
