Staking & Governance Security Checklist
25 security checks for staking, voting, and governance protocols. Covering flash loan vote manipulation, reward timing exploits, epoch boundary attacks, delegation griefing, and vesting bypasses. Derived from real audit findings across major staking and governance platforms.
Threat Analysis
Key statistics from analyzing staking and governance audit findings:
• 1,900+ findings analyzed from real smart contract audits across major staking and governance protocols
• 25 vulnerability patterns identified and categorized across 5 security domains
• 15 Critical/High items require immediate attention in any staking/governance audit
Automate with Krait CLI
60% of these checks can be automated against your codebase. 10 checks require manual review.
/krait:scan --deepInstall Krait →CATEGORIES
Flash Loan Vote/Stake Manipulation
CriticalKraitGovernance voting or staking rewards use current balance instead of time-weighted snapshots, enabling flash loan manipulation
Epoch Boundary Exploitation
CriticalKraitNo minimum participation time per epoch allows staking at last second to earn full epoch rewards
Zero-Supply Quorum Bypass
CriticalKraitWhen totalSupply reaches zero, quorum becomes zero and any proposal passes with zero votes
Supply Oracle Manipulation for Reward Theft
HighKraitCirculating supply used in reward calculations can be temporarily inflated via flash loan
Cooldown/Lock Bypass via Reentrancy
HighKraitLock period checked before external call allows reentrancy to bypass the lock during callback
Reward Harvest Before State Change
CriticalKraitFunctions that modify user position do not checkpoint rewards first, causing reward loss or gaming
Reward Double-Claim via Position Transfer
HighKraitTransferring staking position/NFT does not transfer reward debt, enabling double-claiming
Counter Consistency Across All Paths
HighKraitpendingRewards, totalStaked, or rewardPerToken updated in some paths but not others
Compound Interest Overflow at Extremes
HighKraitStaking yield compound formula overflows at high rates or long durations
Activity Validation for Reward Farming
MediumKraitWeak activity validation allows bots to generate fake on-chain activity to farm rewards
Phantom Voting Power After Burn/Transfer
CriticalKraitBurned or transferred governance tokens still counted in totalVotesSupply, making quorum unreachable
Missing Unstake/Undelegate/Unlock Function
HighKraitStake/delegate/lock functions exist but their inverse does not, permanently locking user funds
Vesting Schedule Bypass
HighKraitTeam/investor vested tokens can be accessed before cliff via emergency withdrawal or admin override
Proposal Execution Without Quorum Revalidation
HighProposals that met quorum during voting can be executed after significant token supply changes
Vote Buying via Reward Redistribution
MediumGovernance rewards create economic incentive for vote buying through external contracts
Delegation Griefing via Checkpoint Accumulation
HighKraitDelegatee accumulates many checkpoints, causing delegation changes to run out of gas
Delegation Power Retention After Transfer
HighTransferred tokens retain their delegation to the original delegatee instead of resetting
Self-Delegation Loop Creates Infinite Voting Power
HighDelegation implementation allows circular delegation chains that amplify voting power
Snapshot Timing Manipulation
MediumAttacker accumulates tokens right before snapshot block and dumps immediately after
Missing Timelock on Critical Parameter Changes
HighKraitAdmin can instantly change reward rates, lock periods, or slashing conditions
Slashing Without Appeal or Delay
HighAdmin can instantly slash staked positions without a challenge period or appeal mechanism
Reward Token Recovery Drains Active Rewards
HighToken recovery function does not exclude active reward tokens, allowing admin to drain rewards
Emission Rate Change Without Reward Checkpoint
HighChanging reward emission rate without first distributing pending rewards at the old rate
Uncontrolled Ownership Transfer
MediumSingle-step ownership transfer allows instant protocol takeover via compromised key
Emergency Pause Traps User Funds Permanently
MediumEmergency pause blocks all operations including withdrawals, with no forced exit mechanism
Need a Professional Staking/Governance Audit?
Staking and governance contracts control protocol direction and billions in locked value. Get your protocol audited by a team that understands vote manipulation, reward timing exploits, and delegation edge cases.
