From a5210f40d61fc6f002b0ed48e46a327aa56975f4 Mon Sep 17 00:00:00 2001
From: Ana Julia <anajuliabit@gmail.com>
Date: Sun, 25 Aug 2024 18:13:23 -0300
Subject: [PATCH] Upload new aderyn report

---
 audit/aderyn-report.md | 272 ++++++++++++++++++++++++++++-------------
 1 file changed, 184 insertions(+), 88 deletions(-)

diff --git a/audit/aderyn-report.md b/audit/aderyn-report.md
index 738b45e..be9467f 100644
--- a/audit/aderyn-report.md
+++ b/audit/aderyn-report.md
@@ -12,8 +12,8 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati
     -   [H-1: Return value of the function call is not checked.](#h-1-return-value-of-the-function-call-is-not-checked)
 -   [Low Issues](#low-issues)
     -   [L-1: Centralization Risk for trusted owners](#l-1-centralization-risk-for-trusted-owners)
-    -   [L-2: Missing checks for `address(0)` when assigning values to address state variables](#l-2-missing-checks-for-address0-when-assigning-values-to-address-state-variables)
-    -   [L-3: `public` functions not used internally could be marked `external`](#l-3-public-functions-not-used-internally-could-be-marked-external)
+    -   [L-2: Unsafe ERC20 Operations should not be used](#l-2-unsafe-erc20-operations-should-not-be-used)
+    -   [L-3: Missing checks for `address(0)` when assigning values to address state variables](#l-3-missing-checks-for-address0-when-assigning-values-to-address-state-variables)
     -   [L-4: Event is missing `indexed` fields](#l-4-event-is-missing-indexed-fields)
     -   [L-5: Internal functions called only once can be inlined](#l-5-internal-functions-called-only-once-can-be-inlined)
     -   [L-6: Unused Custom Error](#l-6-unused-custom-error)
@@ -25,21 +25,21 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati
 | Key         | Value |
 | ----------- | ----- |
 | .sol Files  | 8     |
-| Total nSLOC | 566   |
+| Total nSLOC | 787   |
 
 ## Files Details
 
 | Filepath                               | nSLOC   |
 | -------------------------------------- | ------- |
-| src/BaseStaking.sol                    | 115     |
-| src/DelegateStaking.sol                | 110     |
-| src/RewardsDistributor.sol             | 87      |
-| src/Staking.sol                        | 127     |
+| src/BaseStaking.sol                    | 121     |
+| src/DelegateStaking.sol                | 101     |
+| src/RewardsDistributor.sol             | 96      |
+| src/Staking.sol                        | 102     |
 | src/interfaces/IERC20.sol              | 14      |
 | src/interfaces/IRewardsDistributor.sol | 12      |
+| src/libraries/EnumerableSetLib.sol     | 299     |
 | src/libraries/FixedPointMathLib.sol    | 42      |
-| src/libraries/SafeTransferLib.sol      | 59      |
-| **Total**                              | **566** |
+| **Total**                              | **787** |
 
 ## Issue Summary
 
@@ -54,14 +54,62 @@ This report was generated by [Aderyn](https://github.com/Cyfrin/aderyn), a stati
 
 Function returns a value but it is ignored.
 
-<details><summary>1 Found Instances</summary>
+<details><summary>9 Found Instances</summary>
 
--   Found in src/BaseStaking.sol [Line: 91](src/BaseStaking.sol#L91)
+-   Found in src/BaseStaking.sol [Line: 83](src/BaseStaking.sol#L83)
 
     ```solidity
             rewardsDistributor.collectRewards();
     ```
 
+-   Found in src/DelegateStaking.sol [Line: 155](src/DelegateStaking.sol#L155)
+
+    ```solidity
+            userStakes[msg.sender].add(stakeId);
+    ```
+
+-   Found in src/DelegateStaking.sol [Line: 229](src/DelegateStaking.sol#L229)
+
+    ```solidity
+                userStakes[msg.sender].remove(stakeId);
+    ```
+
+-   Found in src/RewardsDistributor.sol [Line: 97](src/RewardsDistributor.sol#L97)
+
+    ```solidity
+            rewardToken.transfer(msg.sender, rewards);
+    ```
+
+-   Found in src/RewardsDistributor.sol [Line: 131](src/RewardsDistributor.sol#L131)
+
+    ```solidity
+            rewardToken.transfer(receiver, rewards);
+    ```
+
+-   Found in src/RewardsDistributor.sol [Line: 153](src/RewardsDistributor.sol#L153)
+
+    ```solidity
+                collectRewardsTo(receiver);
+    ```
+
+-   Found in src/RewardsDistributor.sol [Line: 202](src/RewardsDistributor.sol#L202)
+
+    ```solidity
+            IERC20(token).transfer(to, amount);
+    ```
+
+-   Found in src/Staking.sol [Line: 163](src/Staking.sol#L163)
+
+    ```solidity
+            userStakes[msg.sender].add(stakeId);
+    ```
+
+-   Found in src/Staking.sol [Line: 250](src/Staking.sol#L250)
+
+    ```solidity
+                userStakes[keyper].remove(stakeId);
+    ```
+
 </details>
 
 # Low Issues
@@ -72,61 +120,61 @@ Contracts have owners with privileged rights to perform admin tasks and need to
 
 <details><summary>10 Found Instances</summary>
 
--   Found in src/BaseStaking.sol [Line: 142](src/BaseStaking.sol#L142)
+-   Found in src/BaseStaking.sol [Line: 151](src/BaseStaking.sol#L151)
 
     ```solidity
         ) external onlyOwner {
     ```
 
--   Found in src/BaseStaking.sol [Line: 150](src/BaseStaking.sol#L150)
+-   Found in src/BaseStaking.sol [Line: 159](src/BaseStaking.sol#L159)
 
     ```solidity
         function setLockPeriod(uint256 _lockPeriod) external onlyOwner {
     ```
 
--   Found in src/DelegateStaking.sol [Line: 252](src/DelegateStaking.sol#L252)
+-   Found in src/DelegateStaking.sol [Line: 247](src/DelegateStaking.sol#L247)
 
     ```solidity
         function setStakingContract(address _stakingContract) external onlyOwner {
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 9](src/RewardsDistributor.sol#L9)
+-   Found in src/RewardsDistributor.sol [Line: 13](src/RewardsDistributor.sol#L13)
 
     ```solidity
     contract RewardsDistributor is Ownable, IRewardsDistributor {
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 145](src/RewardsDistributor.sol#L145)
+-   Found in src/RewardsDistributor.sol [Line: 142](src/RewardsDistributor.sol#L142)
 
     ```solidity
         ) external override onlyOwner {
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 162](src/RewardsDistributor.sol#L162)
+-   Found in src/RewardsDistributor.sol [Line: 165](src/RewardsDistributor.sol#L165)
 
     ```solidity
-        function removeRewardConfiguration(address receiver) external onlyOwner {
+        ) external override onlyOwner {
     ```
 
 -   Found in src/RewardsDistributor.sol [Line: 174](src/RewardsDistributor.sol#L174)
 
     ```solidity
-        ) public override onlyOwner {
+        function setRewardToken(address _rewardToken) external override onlyOwner {
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 180](src/RewardsDistributor.sol#L180)
+-   Found in src/RewardsDistributor.sol [Line: 197](src/RewardsDistributor.sol#L197)
 
     ```solidity
-        function setRewardToken(address _rewardToken) external onlyOwner {
+        ) public override onlyOwner {
     ```
 
--   Found in src/Staking.sol [Line: 274](src/Staking.sol#L274)
+-   Found in src/Staking.sol [Line: 264](src/Staking.sol#L264)
 
     ```solidity
         function setMinStake(uint256 _minStake) external onlyOwner {
     ```
 
--   Found in src/Staking.sol [Line: 284](src/Staking.sol#L284)
+-   Found in src/Staking.sol [Line: 274](src/Staking.sol#L274)
 
     ```solidity
         function setKeyper(address keyper, bool isKeyper) external onlyOwner {
@@ -134,78 +182,96 @@ Contracts have owners with privileged rights to perform admin tasks and need to
 
 </details>
 
-## L-2: Missing checks for `address(0)` when assigning values to address state variables
+## L-2: Unsafe ERC20 Operations should not be used
 
-Check for `address(0)` when assigning values to address state variables.
+ERC20 functions may not behave as expected. For example: return values are not always meaningful. It is recommended to use OpenZeppelin's SafeERC20 library.
 
-<details><summary>6 Found Instances</summary>
+<details><summary>7 Found Instances</summary>
 
--   Found in src/DelegateStaking.sol [Line: 138](src/DelegateStaking.sol#L138)
+-   Found in src/BaseStaking.sol [Line: 120](src/BaseStaking.sol#L120)
 
     ```solidity
-            stakingToken = IERC20(_stakingToken);
+            stakingToken.transfer(msg.sender, rewards);
     ```
 
--   Found in src/DelegateStaking.sol [Line: 139](src/DelegateStaking.sol#L139)
+-   Found in src/BaseStaking.sol [Line: 209](src/BaseStaking.sol#L209)
 
     ```solidity
-            rewardsDistributor = IRewardsDistributor(_rewardsDistributor);
+            stakingToken.transferFrom(msg.sender, address(this), amount);
     ```
 
--   Found in src/DelegateStaking.sol [Line: 140](src/DelegateStaking.sol#L140)
+-   Found in src/BaseStaking.sol [Line: 230](src/BaseStaking.sol#L230)
 
     ```solidity
-            staking = IStaking(_stakingContract);
+            stakingToken.transfer(user, amount);
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 73](src/RewardsDistributor.sol#L73)
+-   Found in src/BaseStaking.sol [Line: 270](src/BaseStaking.sol#L270)
 
     ```solidity
-            rewardToken = IERC20(_rewardToken);
+            stakingToken.transferFrom(msg.sender, address(this), amount);
     ```
 
--   Found in src/Staking.sol [Line: 134](src/Staking.sol#L134)
+-   Found in src/RewardsDistributor.sol [Line: 97](src/RewardsDistributor.sol#L97)
 
     ```solidity
-            stakingToken = IERC20(_stakingToken);
+            rewardToken.transfer(msg.sender, rewards);
     ```
 
--   Found in src/Staking.sol [Line: 135](src/Staking.sol#L135)
+-   Found in src/RewardsDistributor.sol [Line: 131](src/RewardsDistributor.sol#L131)
 
     ```solidity
-            rewardsDistributor = IRewardsDistributor(_rewardsDistributor);
+            rewardToken.transfer(receiver, rewards);
+    ```
+
+-   Found in src/RewardsDistributor.sol [Line: 202](src/RewardsDistributor.sol#L202)
+
+    ```solidity
+            IERC20(token).transfer(to, amount);
     ```
 
 </details>
 
-## L-3: `public` functions not used internally could be marked `external`
+## L-3: Missing checks for `address(0)` when assigning values to address state variables
 
-Instead of marking a function as `public`, consider marking it as `external` if it is not used internally.
+Check for `address(0)` when assigning values to address state variables.
 
-<details><summary>4 Found Instances</summary>
+<details><summary>6 Found Instances</summary>
 
 -   Found in src/DelegateStaking.sol [Line: 126](src/DelegateStaking.sol#L126)
 
     ```solidity
-        function initialize(
+            staking = IStaking(_stakingContract);
+    ```
+
+-   Found in src/DelegateStaking.sol [Line: 127](src/DelegateStaking.sol#L127)
+
+    ```solidity
+            stakingToken = ERC20Votes(_stakingToken);
     ```
 
--   Found in src/DelegateStaking.sol [Line: 269](src/DelegateStaking.sol#L269)
+-   Found in src/DelegateStaking.sol [Line: 128](src/DelegateStaking.sol#L128)
 
     ```solidity
-        function maxWithdraw(
+            rewardsDistributor = IRewardsDistributor(_rewardsDistributor);
     ```
 
--   Found in src/Staking.sol [Line: 122](src/Staking.sol#L122)
+-   Found in src/RewardsDistributor.sol [Line: 72](src/RewardsDistributor.sol#L72)
 
     ```solidity
-        function initialize(
+            rewardToken = IERC20(_rewardToken);
     ```
 
--   Found in src/Staking.sol [Line: 299](src/Staking.sol#L299)
+-   Found in src/Staking.sol [Line: 126](src/Staking.sol#L126)
 
     ```solidity
-        function maxWithdraw(
+            stakingToken = ERC20Votes(_stakingToken);
+    ```
+
+-   Found in src/Staking.sol [Line: 127](src/Staking.sol#L127)
+
+    ```solidity
+            rewardsDistributor = IRewardsDistributor(_rewardsDistributor);
     ```
 
 </details>
@@ -216,49 +282,49 @@ Index event fields make the field more quickly accessible to off-chain tools tha
 
 <details><summary>10 Found Instances</summary>
 
--   Found in src/BaseStaking.sol [Line: 58](src/BaseStaking.sol#L58)
+-   Found in src/BaseStaking.sol [Line: 53](src/BaseStaking.sol#L53)
 
     ```solidity
     event RewardsClaimed(address indexed user, uint256 rewards);
     ```
 
--   Found in src/DelegateStaking.sol [Line: 83](src/DelegateStaking.sol#L83)
+-   Found in src/DelegateStaking.sol [Line: 77](src/DelegateStaking.sol#L77)
 
     ```solidity
         event Staked(
     ```
 
--   Found in src/DelegateStaking.sol [Line: 91](src/DelegateStaking.sol#L91)
+-   Found in src/DelegateStaking.sol [Line: 85](src/DelegateStaking.sol#L85)
 
     ```solidity
     event Unstaked(address indexed user, uint256 amount, uint256 shares);
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 43](src/RewardsDistributor.sol#L43)
+-   Found in src/RewardsDistributor.sol [Line: 42](src/RewardsDistributor.sol#L42)
 
     ```solidity
         event RewardConfigurationSet(
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 48](src/RewardsDistributor.sol#L48)
+-   Found in src/RewardsDistributor.sol [Line: 47](src/RewardsDistributor.sol#L47)
 
     ```solidity
     event RewardCollected(address indexed receiver, uint256 reward);
     ```
 
--   Found in src/Staking.sol [Line: 78](src/Staking.sol#L78)
+-   Found in src/Staking.sol [Line: 77](src/Staking.sol#L77)
 
     ```solidity
     event Staked(address indexed user, uint256 amount, uint256 lockPeriod);
     ```
 
--   Found in src/Staking.sol [Line: 81](src/Staking.sol#L81)
+-   Found in src/Staking.sol [Line: 80](src/Staking.sol#L80)
 
     ```solidity
     event Unstaked(address indexed user, uint256 amount, uint256 shares);
     ```
 
--   Found in src/Staking.sol [Line: 84](src/Staking.sol#L84)
+-   Found in src/Staking.sol [Line: 83](src/Staking.sol#L83)
 
     ```solidity
     event KeyperSet(address indexed keyper, bool isKeyper);
@@ -282,7 +348,37 @@ Index event fields make the field more quickly accessible to off-chain tools tha
 
 Instead of separating the logic into a separate function, consider inlining the logic into the calling function. This can reduce the number of function calls and improve readability.
 
-<details><summary>2 Found Instances</summary>
+<details><summary>7 Found Instances</summary>
+
+-   Found in src/libraries/EnumerableSetLib.sol [Line: 82](src/libraries/EnumerableSetLib.sol#L82)
+
+    ```solidity
+        function length(
+    ```
+
+-   Found in src/libraries/EnumerableSetLib.sol [Line: 121](src/libraries/EnumerableSetLib.sol#L121)
+
+    ```solidity
+        function add(
+    ```
+
+-   Found in src/libraries/EnumerableSetLib.sol [Line: 201](src/libraries/EnumerableSetLib.sol#L201)
+
+    ```solidity
+        function contains(
+    ```
+
+-   Found in src/libraries/EnumerableSetLib.sol [Line: 251](src/libraries/EnumerableSetLib.sol#L251)
+
+    ```solidity
+        function remove(
+    ```
+
+-   Found in src/libraries/EnumerableSetLib.sol [Line: 323](src/libraries/EnumerableSetLib.sol#L323)
+
+    ```solidity
+        function values(
+    ```
 
 -   Found in src/libraries/FixedPointMathLib.sol [Line: 28](src/libraries/FixedPointMathLib.sol#L28)
 
@@ -304,130 +400,130 @@ it is recommended that the definition be removed when custom error is unused
 
 <details><summary>21 Found Instances</summary>
 
--   Found in src/BaseStaking.sol [Line: 69](src/BaseStaking.sol#L69)
+-   Found in src/BaseStaking.sol [Line: 61](src/BaseStaking.sol#L61)
 
     ```solidity
     error WithdrawAmountTooHigh();
     ```
 
--   Found in src/BaseStaking.sol [Line: 76](src/BaseStaking.sol#L76)
+-   Found in src/BaseStaking.sol [Line: 68](src/BaseStaking.sol#L68)
 
     ```solidity
     error NoRewardsToClaim();
     ```
 
--   Found in src/BaseStaking.sol [Line: 79](src/BaseStaking.sol#L79)
+-   Found in src/BaseStaking.sol [Line: 71](src/BaseStaking.sol#L71)
 
     ```solidity
     error AddressZero();
     ```
 
--   Found in src/BaseStaking.sol [Line: 82](src/BaseStaking.sol#L82)
-
-    ```solidity
-    error SharesMustBeGreaterThanZero();
-    ```
-
--   Found in src/DelegateStaking.sol [Line: 101](src/DelegateStaking.sol#L101)
+-   Found in src/BaseStaking.sol [Line: 74](src/BaseStaking.sol#L74)
 
     ```solidity
     error UserHasNoShares();
     ```
 
--   Found in src/DelegateStaking.sol [Line: 104](src/DelegateStaking.sol#L104)
+-   Found in src/DelegateStaking.sol [Line: 95](src/DelegateStaking.sol#L95)
 
     ```solidity
     error ZeroAmount();
     ```
 
--   Found in src/DelegateStaking.sol [Line: 108](src/DelegateStaking.sol#L108)
+-   Found in src/DelegateStaking.sol [Line: 99](src/DelegateStaking.sol#L99)
 
     ```solidity
     error StakeDoesNotBelongToUser();
     ```
 
--   Found in src/DelegateStaking.sol [Line: 111](src/DelegateStaking.sol#L111)
+-   Found in src/DelegateStaking.sol [Line: 102](src/DelegateStaking.sol#L102)
 
     ```solidity
     error StakeDoesNotExist();
     ```
 
--   Found in src/DelegateStaking.sol [Line: 114](src/DelegateStaking.sol#L114)
+-   Found in src/DelegateStaking.sol [Line: 105](src/DelegateStaking.sol#L105)
 
     ```solidity
     error StakeIsStillLocked();
     ```
 
--   Found in src/DelegateStaking.sol [Line: 117](src/DelegateStaking.sol#L117)
+-   Found in src/DelegateStaking.sol [Line: 108](src/DelegateStaking.sol#L108)
 
     ```solidity
     error AddressIsNotAKeyper();
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 57](src/RewardsDistributor.sol#L57)
+-   Found in src/RewardsDistributor.sol [Line: 56](src/RewardsDistributor.sol#L56)
 
     ```solidity
     error ZeroAddress();
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 60](src/RewardsDistributor.sol#L60)
+-   Found in src/RewardsDistributor.sol [Line: 59](src/RewardsDistributor.sol#L59)
 
     ```solidity
     error EmissionRateZero();
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 63](src/RewardsDistributor.sol#L63)
+-   Found in src/RewardsDistributor.sol [Line: 62](src/RewardsDistributor.sol#L62)
 
     ```solidity
     error NotEnoughFunds();
     ```
 
--   Found in src/RewardsDistributor.sol [Line: 66](src/RewardsDistributor.sol#L66)
+-   Found in src/RewardsDistributor.sol [Line: 65](src/RewardsDistributor.sol#L65)
 
     ```solidity
     error TimeDeltaZero();
     ```
 
--   Found in src/Staking.sol [Line: 93](src/Staking.sol#L93)
-
-    ```solidity
-    error UserHasNoShares();
-    ```
-
--   Found in src/Staking.sol [Line: 96](src/Staking.sol#L96)
+-   Found in src/Staking.sol [Line: 90](src/Staking.sol#L90)
 
     ```solidity
     error OnlyKeyper();
     ```
 
--   Found in src/Staking.sol [Line: 100](src/Staking.sol#L100)
+-   Found in src/Staking.sol [Line: 94](src/Staking.sol#L94)
 
     ```solidity
     error FirstStakeLessThanMinStake();
     ```
 
--   Found in src/Staking.sol [Line: 103](src/Staking.sol#L103)
+-   Found in src/Staking.sol [Line: 97](src/Staking.sol#L97)
 
     ```solidity
     error ZeroAmount();
     ```
 
--   Found in src/Staking.sol [Line: 107](src/Staking.sol#L107)
+-   Found in src/Staking.sol [Line: 101](src/Staking.sol#L101)
 
     ```solidity
     error StakeDoesNotBelongToUser();
     ```
 
--   Found in src/Staking.sol [Line: 110](src/Staking.sol#L110)
+-   Found in src/Staking.sol [Line: 104](src/Staking.sol#L104)
 
     ```solidity
     error StakeDoesNotExist();
     ```
 
--   Found in src/Staking.sol [Line: 113](src/Staking.sol#L113)
+-   Found in src/Staking.sol [Line: 107](src/Staking.sol#L107)
 
     ```solidity
     error StakeIsStillLocked();
     ```
 
+-   Found in src/libraries/EnumerableSetLib.sol [Line: 20](src/libraries/EnumerableSetLib.sol#L20)
+
+    ```solidity
+    error IndexOutOfBounds();
+    ```
+
+-   Found in src/libraries/EnumerableSetLib.sol [Line: 23](src/libraries/EnumerableSetLib.sol#L23)
+
+    ```solidity
+    error ValueIsZeroSentinel();
+    ```
+
 </details>