Skip to content

audit11: full post-audit re-review (PASS) + PoCs#17

Open
77ph wants to merge 1 commit into
mainfrom
audit/audit11
Open

audit11: full post-audit re-review (PASS) + PoCs#17
77ph wants to merge 1 commit into
mainfrom
audit/audit11

Conversation

@77ph

@77ph 77ph commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Full post-audit re-review of all L1/L2 contracts at the current post-audit commit.

Verdict: PASS — no exploitable vulnerabilities (0 Critical / 0 High / 0 Medium).

  • L-1 (Low, fee model): external-staking V1 rewards can be taxed twice (the ExternalStakingDistributor reward split plus Collector.protocolFactor applied again on relay), lowering the stOLAS-holder share from 80% to 72% of an external reward. Every wei stays within the protocol; the recommendation is to confirm the intended fee model. Quantified in audits/audit11/poc/double_fee.js.
  • I-1 (Informational / hardening): MultisigGuard does not constrain the service-multisig token balance. Confirmed non-exploitable — the external staking proxies gate claim/unstake to the ExternalStakingDistributor, so rewards are distributed atomically and leave ~0 on the Safe (see audits/audit11/poc/guard_balance.js). A hardening suggestion is included.
  • Several informational observations (withdrawal-delay configuration vs bridge latency, permissionless reserve staking, an event-label nuance, etc.).
  • All prior internal (audit1–10) and external (CODESPECT) resolutions were re-verified present and correct.
  • Two runnable PoCs under audits/audit11/poc/ (real Gnosis Safe + real Autonolas registries; run instructions in the poc README).

Full report: audits/audit11/README.md.

Complete manual re-review of all L1/L2 contracts at the post-audit merge commit.
Verdict PASS (0 Critical / 0 High / 0 Medium): one low-severity fee-model
observation (L-1: external-staking V1 rewards can be taxed twice by the ESD split
plus Collector.protocolFactor) and one hardening note (I-1: MultisigGuard does not
constrain the service-multisig token balance, confirmed non-exploitable), plus
informational observations. All prior internal (audit1-10) and external (CODESPECT)
resolutions re-verified present. Two runnable PoCs under audits/audit11/poc/.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant