A crypto-native onboarding tool powered by incentives.
Severity Issues
critical
high
1
informational
1
medium
0
low
0
Audit Period
2 Days
Report
Audit Period
2 Days
Severity Issues
critical
high
1
medium
0
low
0
informational
1
Report
Introduction
Layer3 is a community engagement platform designed to onboard users into Web3 ecosystems through incentivized tasks and token-based rewards. For Season 3, Layer3 introduced a cross-chain token distribution system that allows users to claim rewards on Ethereum or Base with optional staking and liquid reward enhancements.
Why Did They Need an Audit?
This distribution system involved signature-based claims, Merkle proofs, and optional staking routes—each introducing cryptographic verification and user flow complexities. To mitigate risks of replay attacks, signature misuse, or inconsistent UX logic, Layer3 engaged Three Sigma for a lightweight 0.4-person-week review of its reward distribution contracts.
Scope of the Engagement
Audit Date: 2025-03-10
Language: Solidity
Type: Code Audit
Results and Findings
Notable Low-Severity Issues
Lack of signature expiration
Description: Signatures used in the reward system did not contain expiration timestamps. If left unbounded, an attacker could replay a signature long after it was intended—particularly problematic after logic upgrades or for users concerned about legal implications of claiming tokens at a specific moment.
Resolution: Acknowledged. The team may consider adding expiration timestamps in future versions.
Missing EIP-712 support in L3Distributor
Description: The L3Distributor used EIP-191 for signing claim data, unlike the other contracts which implemented EIP-712. This introduces inconsistency and reduces readability for signers, while also increasing replay risk on forks or redeployments due to the omission of chain ID and verifying contract.
Resolution: Acknowledged. The team may adopt EIP-712 to standardize across contracts and improve safety.
Informational Observations
Missing collectDust() in all contracts: Only L3Distributor included a mechanism for recovering mistakenly sent non-reward tokens. This was later implemented in StakingReward and LiquidReward.
No support for transaction sponsorship in L3Distributor: Unlike the other contracts, L3Distributor required msg.sender to be the claimer, preventing third-party sponsorship. This was acknowledged as a design decision due to differing claim outcomes (claim vs. claim-and-stake).
Blockchain security isn't optional.
Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.
Three Sigma conducted a focused audit over Layer3’s Season 3 reward distribution logic, covering 266 lines of Solidity across three contracts. The review uncovered two low-severity observations related to signature safety and replay risk, alongside minor inconsistencies in UX affordances and utility functions. These findings were either addressed or acknowledged. With the signature flow clarified and replay considerations documented, the protocol is positioned to deliver a safe, flexible, and multi-chain reward claiming experience.
Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.
