DESCRIPTION
LiNEAR Protocol is a liquid staking solution built on the NEAR Protocol. LiNEAR unlocks liquidity of the staked NEAR by creating a staking derivative to be engaged with various DeFi protocols on NEAR and Aurora, while also enjoying over 10% APY staking rewards of the underlying base tokens. LiNEAR is the cornerstone piece of the NEAR-Aurora DeFi ecosystem. The core contracts covered in this audit include LiNEAR contracts in the code repository. The iterative audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope. Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations. In summary, we did not find any critical issues within the audited codebase. However, we have identified four non-critical issues that should be addressed. Additionally, we have put four recommendations to further strengthen the code logic. It is important to note that the scope of our audit was strictly limited to the specific code versions mentioned in the report. Any updates made subsequent to our review would require a re-evaluation.
KEY FINDINGS
In total, we find 4 potential issues in the smart contract. We also have 4 recommendations and 0 notes, as follows:
| ID | Severity | Description | Category | Status |
|---|---|---|---|---|
| 1 | Medium | Precision loss | Software Security | Fixed |
| 2 | Low | User's available balance may be locked temporarily | DeFi Security | Confirmed |
| 3 | Medium | Unlimited reward distribution to beneficiaries | DeFi Security | Fixed |
| 4 | Low | Users' unstaking requests may not be satisfied in time | DeFi Security | Fixed |
| 5 | - | Function epoch_update_rewards may not work due to unlimited beneficiaries |
Recommendation | Fixed |
| 6 | - | Redundant code | Recommendation | Confirmed |
| 7 | - | Missing check on the prepaid_gas in function ft_transfer_call |
Recommendation | Fixed |
| 8 | - | The risk of centralized design | Recommendation | Confirmed |
More details are provided in the audit report.