Introduction
Open Delta’s Index Token Staking is a Solana program that lets users stake index tokens and stream rewards over configurable distribution windows. The design centers on linear time-based emissions, per-user staking positions, and an authority that can adjust distribution parameters. Core roles:
- Stakers: Deposit index tokens, accrue rewards pro-rata over time, and withdraw principal and rewards.
- Reward Distributors: Fund the reward vault and kick off emission rounds.
- Maintainers (Update Authority): Adjust distribution duration and other parameters with bounded controls.
Scope of the Engagement
The review covered ~700 non-comment, non-blank lines of Rust across instruction handlers, program state, and utilities.
Auditors: 2
Primary objectives:
- Validate reward-streaming math and per-user accounting (stake, unstake, withdraw, claim).
- Stress-test PDA seeds, vault bindings, and cross-account invariants to prevent pool cross-talk.
- Identify DoS risks around round rollover, zero-TVL edges, and admin updates.
- Surface precision/overflow and rounding issues with non-trivial decimals and fee-on-transfer tokens.
Challenges in Securing Time-Based Staking on Solana
PDA Binding & Vault Integrity
Staking systems must bind each user position to a single pool and enforce that withdrawals debit the correct vault. Any mismatch risks principal theft across pools (cf. C-01).
Round Rollover & Zero-TVL Windows
Linear emissions with integer math can strand funds or freeze progress when TVL hits zero mid-round, or when new rounds depend on minimum stake thresholds.
Precision, Overflow & Dust
Streaming rates computed with integer division create dust unless scaled; counters that only increase can overflow under pathological TVL.
Upgrades & Admin Timing
Changing distribution parameters mid-round must not retroactively distort prior rewards and any aux state must be initializable on-chain.
Token Semantics
SPL Token 2022 extensions (e.g., fee-on-transfer) break naive “sent == received” assumptions.
Audit Date: 2025-04-22
Language: Rust
Type: Code Audit
Results and Findings
Key Critical Issues
Multiple staking_states can be created for the same stake mint, enabling reward and principal theft across pools
Description:
The pool PDA (staking_state
) used seeds [STAKING_STATE_SEED, stake_mint, authority]
, allowing parallel pools per mint. The user position PDA used only [USER_STAKING_ACCOUNT_SEED, stake_mint, user]
, silently shared across all pools for that mint. As a result, deposits in one pool inflated user_staking_account.staked_amount
everywhere, and withdraw_stake()
did not assert that the provided vault matched the staking_state, enabling cross-pool withdrawals and insolvency.
Resolution:
- Bind user positions to a single pool by including
staking_state.key()
in the user PDA seeds. - Cross-check vault/authority bindings in withdraw paths; reject mismatched accounts.
- Added regression tests for cross-pool isolation. Status: Addressed in
#df44d86
.
Notable High-Severity Issues
No high-severity issues were identified.
Notable Medium-Severity Issues
Staking can be permanently DoS’ed after heavy unstake if the round has ended (insufficient total_staked gate)
Description:
deposit_reward_token
required total_staked ≥ base
and stake
blocked new deposits after end_staking_period
. If TVL dropped below one base unit at round end, no one could stake, and admins could not deposit to start a new round → permanent DoS.
Resolution:
Gate the total_staked ≥ base
check to the first funding only (or allow when a prior end_staking_period > 0
).
Status: Addressed in #e8b2e9c
.
UpdatedStakerState account could not be initialized, DoSing updates
Description:
update_staker_state
required an already-initialized UpdatedStakerState
account, but the program offered no initializer, blocking legitimate updates.
Resolution:
Use init_if_needed
with deterministic seeds so maintainers can create the account in-program; reuse across updates.
Status: Addressed in #728854a
.
In conclusion
Impact of the Audit
The engagement removed a cross-pool isolation flaw that could drain rewards and principal, closed round-rollover and zero-TVL edge cases that led to permanent DoS or stranded funds, and upgraded precision and dust handling to maintain accounting invariants over long-running emissions. PDA seeds and vault bindings are now unambiguous, mid-round admin changes are safely sequenced, and the program is compatible with fee-on-transfer tokens. With these remediations and new regression tests, Open Delta’s Index Token Staking entered public testing with hardened pool isolation, resilient reward streaming, and clearer operational telemetry.
Three Sigma’s Value
Our review went beyond line-item bugs to stabilize the staking lifecycle under adverse conditions: minimal TVL, admin updates mid-flight, and token extensions. By tying user positions tightly to pools, buffering zero-TVL emissions, and enforcing precise errors and events, we helped transform a functional MVP into a durable, ops-friendly staking system. If you’re adapting staking or emissions logic to Solana or migrating to SPL Token 2022, we can help you ship with confidence.
We specialize in Solana staking and emissions audits. If your project is building similar mechanics or porting them to new networks, let us harden it before launch. Contact us to discuss securing your solana program and giving your users peace of mind.