StakeDAO implements an alternative to staking into Curve, Angle or Frax and earn additional rewards. Similar to Curve the reward allocation can be voted on by Stake Dao token holders who locked their stake Dao in return for voting escrowed Stake Dao.
The first code assessment was limited to three contracts (see Version 1 and Version 2 ). The issues found are tagged accordingly in this report. As a result of the first code assessment the documentation and inline comments were refined and enhanced, however there is still room for improvement. In the second stage of the code assessment, we reviewed most of the system as laid out in Scope.
We uncovered one high and one medium severity issue. In the high severity issue a wrong variable is used as index. The medium severity issue is already public. Angle tweeted about it and fixed it in their code base. The remaining issues are of low severity. A few low severity issues remain acknowledged or partially fixed but all other issues including higher severity issues were fixed accordingly.
The communication with the team was always professional and quick. We are happy to help in the future and conduct the review for the remaining contracts. The current code base provides a satisfactory level of security. Still, we recommend to always keep up with the testing and put enough time and efforts into testing edge cases.
It is important to note that security code assessments are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.