Audit Report

Order DEMO-2026

VulnerableStaking (sample)

Audit complete

Tier

Standard

Submitted

2026-05-30

Findings

6

1 Critical2 High1 Medium1 Low1 Info

Findings preview

Full descriptions, code snippets, PoCs and remediation in the PDF report.

  • C-01

    Reentrancy in unstake() — external transfer before state update

    src/VulnerableStaking.sol#L90 · slither, slitherin

    Critical
  • H-01

    Oracle price manipulation enables reward inflation

    src/VulnerableStaking.sol#L99 · LLM auditor (no static tool flagged)

    High
  • H-02

    emergencyWithdraw() bypasses reward accounting

    src/VulnerableStaking.sol#L110 · LLM auditor (no static tool flagged)

    High
  • M-01

    Owner can swap oracle without timelock (centralization risk)

    src/VulnerableStaking.sol#L123 · aderyn

    Medium
  • L-01

    ERC20 transfer return values are not checked

    src/VulnerableStaking.sol#L86 · slither

    Low
  • I-01

    Missing zero-address checks in constructor

    src/VulnerableStaking.sol#L54 · aderyn

    Info

Deliverables

View full report →View target repository →