reddink
commented
4 years ago Thanks for taking the time to review our code, it is always appreciated. Yes you are correct, we were only checking for the existence of the dev vout address and that the total sum of the stake reward matched. In our initial thoughts on how to handle the dev payment, there was a desire to make the amount configurable. Ultimately we settled on sending a fixed amount.
While we may revisit making it a configurable amount in a future release, we take your point to tighten up this oversight in the short term.
Cheers.
TechAdeptRDD
Following an audit of your PoSV2 code changes looking for flaws and exploits, I found a small one, small enough not to bother exploiting myself. I see you have added an 8% payment of stake rewards to a developer fund. In the block validation code you only check that the coinstake transaction has a vout to the dev address. The payment could be for zero and the block would still pass validation. You may want to tighten up on this, at least checking for a non-zero payment or perhaps something that is at least over a % threshold. Otherwise people can easily boost their stakes with the dev fund losing out. You may as well make the development fund % configurable since you've in effect made it a voluntary payment from a protocol perspective as things stand.