three sigma logo
Layer 3

Code Audit

Layer 3

A crypto-native onboarding tool powered by incentives.

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

Layer3 is a Web3 platform focused on user engagement, onchain participation, and token-based incentives. Its staking module enables users to lock tokens for varying durations in exchange for proportional rewards, determined by staking weight and lockup length.

Why Did They Need an Audit?

The staking contract included logic for variable-duration locking, stake-weight-based reward allocation, and emergency owner withdrawals. A misstep in this logic—particularly around staking weight, reward pool sizing, or withdrawal conditions—could allow dishonest manipulation or break the accounting system. Layer3 engaged Three Sigma for a fast-track 2-day audit to ensure the staking system was safe for deployment.

Scope of the Engagement

  • File Audited: Staking.sol
  • Team: 1 auditor · 2 days
  • Chain: Ethereum

Audit Date: 2024-07-25

Language: Solidity

Type: Code Audit

Results and Findings

Key Critical Issue

Staked weight inflation via withdrawal bypass

  • Description: When withdrawalPeriod == 0, users could bypass initiateWithdrawal() and withdraw instantly without reducing their stakedWeight. Since the system only subtracts from weight when initiateWithdrawal() is used, this led to an inflation vector: users could repeatedly stake, withdraw, and retain their share of rewards.
  • Resolution: Now, when withdrawalPeriod == 0, the contract correctly reduces stakedWeight directly inside withdraw() unless it has already been reduced.

Notable Low-Severity Observation

Incomplete reward balance check

  • Description: In setRewardAmount(), the contract checks whether sufficient tokens exist to allocate a new reward amount. However, it does not account for unclaimed rewards or already staked tokens, meaning the function could appear valid while undercollateralized.
  • Resolution: Acknowledged. Team plans to handle reward accounting off-chain with accurate tracking.

Severity Issues

critical
high

1

informational

1

medium

0

low

0

Audit Period

2 Days

Report

In conclusion

Three Sigma conducted a 0.4-week audit of Layer3’s Button Game, a high-interaction smart contract with configurable timing, incentives, and token flows. One high-severity issue regarding pause logic was resolved, while a block stuffing risk was acknowledged as a future concern. All remaining low and informational findings were addressed. With proper administrative controls and precision upgrades, the Button is ready to launch with a fair and secure player experience.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today