- HIGHreentrancy-ethVault.sol:47–53high conf confirmed by 2 engines
Function withdraw() in Vault.sol:47-53 makes an external call (msg.sender.call{value: amount}('')) before updating balances[msg.sender]. An attacker contract can re-enter withdraw() inside its fallback and drain the contract one balance at a time. Confirmed by Mythril symbolic execution.
- MEDIUMunchecked-transferVault.sol:73high conf
token.transfer(recipient, amount) on Vault.sol:73 ignores the boolean return value. Standard ERC-20 tokens like USDT return false rather than reverting on failure. A silent failure leaves the contract in an inconsistent state.
- MEDIUMmissing-zero-checkVault.sol:32medium conf
Constructor accepts address(0) for the initial owner. If called by accident, future admin actions are bricked.
- LOWtimestampVault.sol:115medium conf
Use of block.timestamp for randomness or strict equality. Miners can shift block.timestamp by ~15 seconds.
- LOWexternal-functionVault.sol:55high conf
Public function 'deposit' is never called internally. Mark it 'external' to save gas (calldata vs memory).
- INFOsolc-versionVault.sol:1high conf
Pragma uses caret range (^0.8.20). Pin to a single compiler version (e.g. 0.8.24) for reproducible builds.
- INFOnaming-conventionVault.sol:22high conf
Constant 'maxStake' should be in UPPER_SNAKE_CASE: MAX_STAKE.
- INFOno-events-on-state-changeVault.sol:88medium conf
setRewardRate() mutates contract state without emitting an event. Off-chain indexers will miss the change.
Want one for your contract?
Free first scan, no card. Founder Pro €29/mo with a 7-day free trial — rate locked for life.