Security Audit Report for Octopus Restaking


The core contracts covered in this audit include restaking-base and lpos_market in and The audit covers the code in the initial version, as well as subsequent versions to fix discovered issues, as detailed in our audit report. Please note that external dependencies are assumed reliable and are therefore excluded from the audit scope.

Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations. In summary, we have found that the codebase contains several critical issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered.The Octopus team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.


In total, we find 32 potential issues in the smart contract. We also have 6 recommendations and 1 notes, as follows:

High Risk: 19
Medium Risk: 9
Low Risk: 4
Recommendation: 6
Note: 1
ID Severity Description Category Status
1 High Incorrect Caller Verification in Function ft_on_transfer() DeFi Security Fixed
2 High Lack of Check in Function slash_request() DeFi Security Fixed
3 High Lack of Check in Function handle_anchor_deposit_reward_msg() DeFi Security Confirmed
4 High Incorrect Calculation of Validator Commission DeFi Security Fixed
5 Low Incorrect Validation in Function deploy() DeFi Security Confirmed
6 Medium Failure of Cross-Contract Call Result Handling DeFi Security Confirmed
7 Medium Incorrect Validation in Function delegate() DeFi Security Confirmed
8 High Incorrect Slash Amount DeFi Security Fixed
9 High Incorrect Use of max()/min() DeFi Security Fixed
10 High Funds Loss Due to Unsaved Treasury Account DeFi Security Fixed
11 High Potential DoS Due to Inappropriate Implementation of Locking Logic DeFi Security Confirmed
12 High Unrefunded NEAR in function stake_after_check_whitelisted() DeFi Security Fixed
13 Medium Incorrect Rounding Direction DeFi Security Fixed
14 Medium Potential Panic in Callback Function bond_callback() DeFi Security Fixed
15 High Ineffective Lock on Important Functions DeFi Security Fixed
16 Low Lack of Pause Functionality in Function bond() DeFi Security Fixed
17 Medium Unrefunded Storage Fee of Failed Cross-contract Invocations DeFi Security Confirmed
18 High Incorrect Amount of NEAR Attached in Function change_key() DeFi Security Fixed
19 Medium Incorrect Gas Setting in the Function bond() DeFi Security Fixed
20 Medium Unintended Overpayment of Fees by Contract Account DeFi Security Fixed
21 High Failure to Clear State Due to Delayed State Saving DeFi Security Fixed
22 High Potential DoS in internal_slash_in_staker_shares() DeFi Security Fixed
23 High Incorrect Penalty Amount in the Slash Process DeFi Security Fixed
24 Medium Unlimited Delay in Asset Withdrawal Due to Continuous Invocation of decease_stake() DeFi Security Fixed
25 Low Unrefunded STORAGE_FEE of Released Storage DeFi Security Confirmed
26 Low No Storage Fee Charged in Function sync_consumer_chain_pos() DeFi Security Confirmed
27 High Unlimited Withdrawn with Reused UnstakeBatchId DeFi Security Fixed
28 High Potential Panic in Callback Function stake_after_check_whitelisted() DeFi Security Fixed
29 Medium Lack of Storage Fee Charge DeFi Security Confirmed
30 High Panic in Callback Function stake_callback() DeFi Security Fixed
31 High Potential DoS in Function destroy() DeFi Security Confirmed
32 High Potential Panic in Function transfer_near() DeFi Security Confirmed
33 Redundant code Recommendation Fixed
34 - Lack of Validation for Register Fee Recommendation Confirmed
35 - Lack of Check in Function delegate Recommendation Fixed
36 - Incorrect Error Message Recommendation Fixed
37 - Refunding Excessive Registration Fee to Incorrect Recipients Recommendation Fixed
38 - Lack of Check on Account's NEAR Balance Recommendation Fixed
39 - TPotential Centralization Problem Note Confirmed

More details are provided in the audit report.

Take the first step towards a secure future

Reach out now for BlockSec's expert code audit services, elevate the security of your protocol before it goes live!