Brief audit of 'l2mp_staking.ride`

[deemru]

• CRITICAL: negative values in list can bypass check

  contracts/ride/l2mp_staking.ride

  Line 407 in 766890c

  amountListSum <= i.payments[0].amount || "payment amount is less than sum of amountList".throwErr()

• HIGH: duplicated addresses rewrites itself

  contracts/ride/l2mp_staking.ride

  Line 398 in 766890c

  func airdrop(addressList: List[String], amountList: List[Int]) = {

  contracts/ride/l2mp_staking.ride

  Line 417 in 766890c

  (result :+ IntegerEntry(userLockedLpKey, oldLpAmount + addedLpAmount), index + 1, totalLp + addedLpAmount)

• MEDIUM: address can be any string value

  contracts/ride/l2mp_staking.ride

  Line 414 in 766890c

  let userLockedLpKey = keyUserLockedLpAmount(addressList[index])

• MEDIUM: can be proxied by third-party apps to set their nodeAddress unnoticed by user

  contracts/ride/l2mp_staking.ride

  Line 389 in 766890c

  i.originCaller.toString() == userAddress || "i.originCaller should be equal to userAddress".throwErr()

• MEDIUM: address is more than 26 any bytes

  contracts/ride/l2mp_staking.ride

  Line 236 in 766890c

  userAddress.fromBase58String().size() == ADDRESS_BYTES_SIZE || "user address is not valid".throwErr()

  contracts/ride/l2mp_staking.ride

  Lines 306 to 307 in 766890c

  	userAddress.fromBase58String().size() == ADDRESS_BYTES_SIZE || "user address is not valid".throwErr(),
  	nodeAddress.fromBase58String().size() == ADDRESS_BYTES_SIZE || "node address is not valid".throwErr()

• MEDIUM: masking of negative values (can save from CRITICAL by throw instead of bypass)

  contracts/ride/l2mp_staking.ride

  Lines 207 to 213 in 766890c

  	func calcAssetFromLp(lpAmount: Int) = {
  	max([0, fraction(lpAmount.toBigInt(), getCurrentPrice(), scale18BigInt).toInt()])
  	}
  	func calcLpFromAsset(assetAmount: Int) = {
  	max([0, fraction(assetAmount.toBigInt(), scale18BigInt, getCurrentPrice()).toInt()])
  	}

• LOW: too much complexity for every getCurrentPrice() recalculation, you can use let currentPrice = getCurrentPrice() and use it as global variable once calculated (drops 7773 -> 3904 complexity for example https://waves-ide.com/s/6571a30ea0bc9700314de3c8)