Staking Audit Fixes

[ryzhak]

Resolves #998

In particular applies changes from #998 (comment).

Issue	Status
[H-01] Missing "mass pool update" on creating/updating a pool affects users' rewards	Fixed
[M-01] Staking and reward tokens overlapping with LibUbiquityPool's collateral skews calculations	Fixed
[M-02] Possible reentrancy	Fixed
[M-03] setStakingRewardToken causes DoS of stake/unstake methods	Acknowledged
[M-04] Staked tokens are stuck in the contract	Acknowledged
[M-05] Staking DoS if UBQ_MINTER_ROLE is revoked from the Diamond contract	Acknowledged
[M-06] User can get 0 rewards on high stake amounts	Fixed
[M-07] Dust reward tokens are stuck in the contract	Acknowledged
[M-08] Some "weird" ERC20 tokens are not supported	Acknowledged
[L-01] Unused imports	Fixed
[L-02] whenNotPaused modifier not used	Fixed
[L-03] Treasury griefing	Fixed
[L-04] governanceTreasuryDivider can't be set to 0	Fixed
[L-05] DoS when treasuryAddress is 0	Acknowledged

The Check For Diamond Storage Changes workflow is failing because of #992. Anyway it's safe to update the storage layout of the LibStaking since it's not deployed yet.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ubiquity-os]

Caution

No labels are set.

[ryzhak]

@0x4007 This PR is ready for review

[0x4007]

Tip

Hello, world!

[0x4007]

[!CAUTION]
No labels are set.

@gentlementlegen not sure why this sent so many consecutively this shouldn't happen (isBotEvent related?) also should be a warning not caution.

@ryzhak I'll review when I'm on my computer

[0x4007]

We should get more eyes on this.

[Copilot]

Pull Request Overview

This PR applies audit fixes for the staking functionality, addressing high and medium severity issues found during security review. The changes focus on improving reward calculations, preventing token overlap conflicts, and enhancing security through proper access controls.

• Implements mass pool updates when creating/updating pools to ensure accurate reward calculations
• Adds validation to prevent staking/reward tokens from overlapping with UbiquityPool collateral tokens
• Adds reentrancy protection and pause functionality to critical staking operations

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
LibStaking.sol	Core staking logic updates including mass pool updates, collateral overlap checks, and treasury divider validation
StakingFacet.sol	Added security modifiers (whenNotPaused, nonReentrant) and simplified function signatures
IStaking.sol	Updated interface to match simplified function signatures and added documentation
StakingFacet.t.sol	Updated tests to match new function signatures and added new test cases for collateral overlap validation
StakingFacet.fuzz.t.sol	Updated fuzz tests with new function signatures and improved parameter bounds
AaveAmo.t.sol	Fixed test to use valid function call instead of empty call

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[0x4007]

We should get more eyes on this.

zgo said they can take a look soon

[zgorizzo69]

good job fixing the issues from the audit
I would only add one small test and assess if feasible to make setStakingRewardToken revert if there are pending rewards

[gentlementlegen]

[!CAUTION]
No labels are set.

@gentlementlegen not sure why this sent so many consecutively this shouldn't happen (isBotEvent related?) also should be a warning not caution.

@ryzhak I'll review when I'm on my computer

This emanates from command-start-stop that tried to assign the user to the linked issue, unsuccessfully due to the labels lacking there. It reacts to pull-request.opened but also to pull_request.edited, so it tried to assign the user again on each edit.

[0x4007]

@ryzhak I guess the failed CI doesn't matter?

[ryzhak]

@ryzhak I guess the failed CI doesn't matter?

Yes

The Check For Diamond Storage Changes workflow is failing because of #992. Anyway it's safe to update the storage layout of the LibStaking since it's not deployed yet.

[0x4007]

@rndquu please resolve zgorizzo69's review comments- whether to implement or ignore is your decision

[ryzhak]

@rndquu please resolve zgorizzo69's review comments- whether to implement or ignore is your decision

All resolved, everything is kept "as is"