| SIP | Title | Author | Status | Track | Created |
|---|---|---|---|---|---|
0049 |
Staking contract refactoring and other improvements |
Tyrone Johnson (@tjcloa) |
Ready for vote |
Contract |
2023-02-14 |
-
The Staking contract has reached the EIP-170 solidity contracts size limits.
-
The Staking contract is vulnerable to voting power theft. It is possible to steal the voting power associated with a specific stake by staking an arbitrarily small amount of SOV for the user at the same date and at the same time passing a new delegate as a parameter. As a result, the complete voting power of this stake is delegated to the passed delegate address.
-
The staking contract has an incorrect vesting stake for all of the lock dates for which the new 4 year vesting contracts were deployed, because of a wrong order of code execution during the deployment. As a consequence, it is not possible to withdraw the full amount of vested SOV on these lock dates. This SIP introduces a method which allows us to correct the vesting stake at these dates.
-
The guard against multiple manipulations of the same stake on a single transaction can be circumvented, because it is checking for the message sender address instead of the address to which the stake actually belongs.
-
stakeBySchedule function of the staking contract which is used by the vesting contracts to stake the vested tokens uniformly over a certain number of intervals, was making a token transfer for each interval which is not a gas-efficient way. It is redesigned to have only one token transfer per operation which effectively saves 7610 gas per vesting interval.
-
Governance Vesting withdraw function was unable to withdraw team vested tokens in some cases where there are too many stakes to iterate running into a block gas limit. It was refactored and the flow also improved to exclude redundant function calls between Staking and Vesting contracts.
-
Staking with Approval functionality is reintroduced. It used to be commented out as a workaround to fit into EIP-170 24 KB contract size limit.
-
Some inconsistencies regarding lock date adjustments were resolved.
If approved, this SIP will replace the Staking Logic contract in the Staking Proxy contract for the new StakingModulesProxy contract which proxies calls to the Staking logic functions grouped into meaningful module contracts. Therefore refactoring does not change any staking contract logic except for the listed above improvements and fixes.
-
Staking contract logic hit the EIP-170 contract code size limit which does not allow adding any functionality to it.
-
There were two long awaited to be resolved issues with the stakeBySchedule function and Governance team vesting withdraw function.
-
Immunefi bug bounty program report from a security researcher discovered a voting power theft vulnerability.
-
Staking contract has been given a thorough internal review which discovered missing test cases to guard from potential vulnerabilities.
In order to resolve the issues, a new modular contracts system using the same verified and audited architecture as the loan token and perp swap contracts was designed and implemented.
-
The new reusable ModulesProxy contract forwards all the Staking logic function calls to the respective module contracts.
-
7 new module contracts contain subsets of the large Staking contract functionality.
Existing Staking Logic contract: 0xa0a44943f84f1766b42e67273EE6091A6ccc9315
New Staking Modules Proxy contract: 0xe2b4A4213c823cb3E1B90D128aED17A86F45bBc0
Staking logic module contracts:
- StakingAdminModule: 0x382e6480d6cDe9E64953Feb6e12b33da849dA44a
- StakingGovernanceModule: 0x039119F8f4d28491C829682B3ebD5e9729477C74
- StakingStakeModule: 0xDf41bd1f610d0DBE9d990e3Eb04fd983777F1966
- StakingStorageModule: 0x8Bd4ED875dAD5CcDD1F9c276aCFC8067c287baEB
- StakingVestingModule: 0x4Ca823CED18212876BB13092E4460CC65d2C7874
- StakingWithdrawModule: 0x7FE861e0948df601F28e0D84664Fa2ddF4b39155
- WeightedStakingModule: 0xdB8798306fbf54Cb81859f72aB444eFa3D860Ff2
Proposed changes:
DistributedCollective/Sovryn-smart-contracts#448
DistributedCollective/Sovryn-smart-contracts#486
Copyright and related rights waived via CC0.