Introduction
Layer3 is a Web3 platform focused on user engagement, onchain participation, and token-based incentives. Its staking module enables users to lock tokens for varying durations in exchange for proportional rewards, determined by staking weight and lockup length.
Why Did They Need an Audit?
The staking contract included logic for variable-duration locking, stake-weight-based reward allocation, and emergency owner withdrawals. A misstep in this logic—particularly around staking weight, reward pool sizing, or withdrawal conditions—could allow dishonest manipulation or break the accounting system. Layer3 engaged Three Sigma for a fast-track 2-day audit to ensure the staking system was safe for deployment.
Scope of the Engagement
- File Audited:
Staking.sol
- Team: 1 auditor · 2 days
- Chain: Ethereum
Audit Date: 2024-07-25
Language: Solidity
Type: Code Audit
Results and Findings
Key Critical Issue
Staked weight inflation via withdrawal bypass
- Description: When
withdrawalPeriod == 0
, users could bypass initiateWithdrawal()
and withdraw instantly without reducing their stakedWeight
. Since the system only subtracts from weight when initiateWithdrawal()
is used, this led to an inflation vector: users could repeatedly stake, withdraw, and retain their share of rewards. - Resolution: Now, when
withdrawalPeriod == 0
, the contract correctly reduces stakedWeight
directly inside withdraw()
unless it has already been reduced.
Notable Low-Severity Observation
Incomplete reward balance check
- Description: In
setRewardAmount()
, the contract checks whether sufficient tokens exist to allocate a new reward amount. However, it does not account for unclaimed rewards or already staked tokens, meaning the function could appear valid while undercollateralized. - Resolution: Acknowledged. Team plans to handle reward accounting off-chain with accurate tracking.
In conclusion
Three Sigma conducted a 0.4-week audit of Layer3’s Button Game, a high-interaction smart contract with configurable timing, incentives, and token flows. One high-severity issue regarding pause logic was resolved, while a block stuffing risk was acknowledged as a future concern. All remaining low and informational findings were addressed. With proper administrative controls and precision upgrades, the Button is ready to launch with a fair and secure player experience.