BadgerDAO · Smart Contract Security AssessmentBadgerDAO Client Hub

Staked eBTC

Zealynx audited Staked eBTC, BadgerDAO's BTC-collateralized yield-bearing vault that issues stEBTC against deposited eBTC. The 1-week review of 701 nSLOC of Solidity covered the reward cycle accounting, permit-based deposit flow, fee logic, and admin sweep paths. The audit identified 6 issues including 1 Medium-severity precision loss in the reward cycle end computation, 3 Low-severity issues across event emission, permit failure handling and minting fee design, and 2 Informational style and naming notes.

EthereumSoliditySmart Contract Code Review2024-10-11Zealynx methodology
Total findings
6
0 fixed · 6 acknowledged
Critical
00
High
00
Medium
01
Low + Info
05
02

Scope

1 file · 701 SLOC
Platform
Ethereum · Solidity
Methodology
Zealynx audit methodology
File
StakedEbtc.sol
03

Findings

click any row for the full write-up
Severity
ID
Finding
Status
mediumF-2024-0001Precision loss in _cycleEnd calculationAcklowF-2024-0002Emit events for transparency in main functionAcklowF-2024-0003Enhance permit failure handling in depositWithSignature functionAcklowF-2024-0004Blacklist as alternative to minting feeAckinfoF-2024-0005Use custom errors instead of require statements for gas optimization and clarityAckinfoF-2024-0006Use camelCase for immutable variablesAck
04

Key Findings

  • Precision loss in _cycleEnd calculation. The previewSyncRewards() function computes _cycleEnd using division and multiplication on integers, which loses precision and yields reward cycles that drift from the expected interval. Reward distribution is consequently smaller than intended.
  • Missing event emission in sweep(). The unauthorized-donation sweep path completes silently, leaving off-chain indexers and integrators with no on-chain trace of the transfer. Recommendation is to emit a Swept(token, amount) event.
  • Empty catch block in depositWithSignature(). The permit failure path catches the revert and continues without checking allowance, so a front-run permit followed by an under-allowance reverts later in the deposit, wasting gas. Recommendation is to check the allowance inside the catch and revert with a clear InsufficientAllowance error.
  • Minting fee penalises legitimate users. The proposed minting fee designed to deter Protocol Yield Splitting (PYS) gaming hits all users uniformly, including long-term holders. A blacklist of identified gaming addresses is recommended as a more targeted alternative, or as a precursor to fee deployment.
05

Team & approval

Lead Auditor
Sergio
@Seecoalba
Auditor
Bloqarl
@TheBlockChainer
Auditor
Alejandro
@mevquant
06

Disclaimer

This audit is not an endorsement and does not constitute investment advice. Zealynx reviewed the codebase at the commits listed in section 02 over the engagement window. Findings are limited to issues identified within that scope and do not preclude the existence of other vulnerabilities. Subsequent code changes are not covered by this report unless the engagement is explicitly extended.

Download PDF (13p)
ZEALYNX SECURITY · published 2024-10-11
6 findings · Solidity

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx