Open Delta

Introduction

Open Delta’s Index Token Staking is a Solana program that lets users stake index tokens and stream rewards over configurable distribution windows. The design centers on linear time-based emissions, per-user staking positions, and an authority that can adjust distribution parameters. Core roles:

• Stakers: Deposit index tokens, accrue rewards pro-rata over time, and withdraw principal and rewards.
• Reward Distributors: Fund the reward vault and kick off emission rounds.
• Maintainers (Update Authority): Adjust distribution duration and other parameters with bounded controls.

Scope of the Engagement

The review covered ~700 non-comment, non-blank lines of Rust across instruction handlers, program state, and utilities.

Auditors: 2

Primary objectives:

• Validate reward-streaming math and per-user accounting (stake, unstake, withdraw, claim).
• Stress-test PDA seeds, vault bindings, and cross-account invariants to prevent pool cross-talk.
• Identify DoS risks around round rollover, zero-TVL edges, and admin updates.
• Surface precision/overflow and rounding issues with non-trivial decimals and fee-on-transfer tokens.

Challenges in Securing Time-Based Staking on Solana

PDA Binding & Vault Integrity

Staking systems must bind each user position to a single pool and enforce that withdrawals debit the correct vault. Any mismatch risks principal theft across pools (cf. C-01).

Round Rollover & Zero-TVL Windows

Linear emissions with integer math can strand funds or freeze progress when TVL hits zero mid-round, or when new rounds depend on minimum stake thresholds.

Precision, Overflow & Dust

Streaming rates computed with integer division create dust unless scaled; counters that only increase can overflow under pathological TVL.

Upgrades & Admin Timing

Changing distribution parameters mid-round must not retroactively distort prior rewards and any aux state must be initializable on-chain.

Token Semantics

SPL Token 2022 extensions (e.g., fee-on-transfer) break naive “sent == received” assumptions.

Results and Findings

Key Critical Issues

Multiple staking_states can be created for the same stake mint, enabling reward and principal theft across pools

Description:

The pool PDA (staking_state) used seeds [STAKING_STATE_SEED, stake_mint, authority], allowing parallel pools per mint. The user position PDA used only [USER_STAKING_ACCOUNT_SEED, stake_mint, user], silently shared across all pools for that mint. As a result, deposits in one pool inflated user_staking_account.staked_amount everywhere, and withdraw_stake() did not assert that the provided vault matched the staking_state, enabling cross-pool withdrawals and insolvency.

Resolution:

• Bind user positions to a single pool by including staking_state.key() in the user PDA seeds.
• Cross-check vault/authority bindings in withdraw paths; reject mismatched accounts.
• Added regression tests for cross-pool isolation. Status: Addressed in #df44d86.

Notable High-Severity Issues

No high-severity issues were identified.

Notable Medium-Severity Issues

Staking can be permanently DoS’ed after heavy unstake if the round has ended (insufficient total_staked gate)

Description:

deposit_reward_token required total_staked ≥ base and stake blocked new deposits after end_staking_period. If TVL dropped below one base unit at round end, no one could stake, and admins could not deposit to start a new round → permanent DoS.

Resolution:

Gate the total_staked ≥ base check to the first funding only (or allow when a prior end_staking_period > 0).

Status: Addressed in #e8b2e9c.

UpdatedStakerState account could not be initialized, DoSing updates

Description:

update_staker_state required an already-initialized UpdatedStakerState account, but the program offered no initializer, blocking legitimate updates.

Resolution:

Use init_if_needed with deterministic seeds so maintainers can create the account in-program; reuse across updates.

Status: Addressed in #728854a.

In conclusion

Impact of the Audit

The engagement removed a cross-pool isolation flaw that could drain rewards and principal, closed round-rollover and zero-TVL edge cases that led to permanent DoS or stranded funds, and upgraded precision and dust handling to maintain accounting invariants over long-running emissions. PDA seeds and vault bindings are now unambiguous, mid-round admin changes are safely sequenced, and the program is compatible with fee-on-transfer tokens. With these remediations and new regression tests, Open Delta’s Index Token Staking entered public testing with hardened pool isolation, resilient reward streaming, and clearer operational telemetry.

Three Sigma’s Value

Our review went beyond line-item bugs to stabilize the staking lifecycle under adverse conditions: minimal TVL, admin updates mid-flight, and token extensions. By tying user positions tightly to pools, buffering zero-TVL emissions, and enforcing precise errors and events, we helped transform a functional MVP into a durable, ops-friendly staking system. If you’re adapting staking or emissions logic to Solana or migrating to SPL Token 2022, we can help you ship with confidence.

We specialize in Solana staking and emissions audits. If your project is building similar mechanics or porting them to new networks, let us harden it before launch. Contact us to discuss securing your solana program and giving your users peace of mind.