QA Report

[code423n4]

Low Risk

Missing check for address(0x0) when assigning values to address state variables

1. File: InfinityStaker.sol#L50-51

    INFINITY_TOKEN = _tokenAddress;
    INFINITY_TREASURY = _infinityTreasury;

2. File: InfinityStaker.sol#L376

    INFINITY_TREASURY = _infinityTreasury;

3. File: InfinityExchange.sol#L115-116

    WETH = _WETH;
    MATCH_EXECUTOR = _matchExecutor;

Missing whenNotPause modifier on rageQuit()

This function allows users to withdraw tokens from the contract and should be given whenNotPause similar to unstake(). If the contract is paused an exploiter could still potentially drain the contract.

1. File: InfinityStaker.sol#L136

QA

Constants should be defined rather than using magic numbers

1. File: InfinityStaker.sol#L237

    (userstakedAmounts[user][Duration.TWELVE_MONTHS].amount * 4)) / (10**18);

3. File: InfinityExchange.sol#L775

    require(minNonce < userMinOrderNonce[msg.sender] + 1000000, 'too many');

3. File: InfinityExchange.sol#L775

    uint256 protocolFee = (protocolFeeBps * execPrice) / 10000;

4. File: InfinityExchange.sol#L819

    uint256 protocolFee = (protocolFeeBps * execPrice) / 10000;

5. File: InfinityExchange.sol#L1135

    uint256 protocolFee = (PROTOCOL_FEE_BPS * amount) / 10000;

Events should use three indexed fields if three or more fields are used.

1. File: InfinityStaker.sol#L44

    event Staked(address indexed user, uint256 amount, Duration duration);

2. File: InfinityStaker.sol#L45

  event DurationChanged(address indexed user, uint256 amount, Duration oldDuration, Duration newDuration);    

3. File: InfinityStaker.sol#L47

  event RageQuit(address indexed user, uint256 totalToUser, uint256 penalty); 

Consider adding an event when changing critical state variables.

updatePenalties()

1. File: InfinityStaker.sol#L364

updateStakeLevelThreshold()

2. File: InfinityStaker.sol#L351