BitDCA is a protocol that enables automatic micro-savings for card payments. The staking contracts are a subcomponent of BitDCA, allowing users to stake BDCA tokens and earn rewards.
The protocol implements a staking system with NFT-based positions and tiered rewards. It allows users to lock their BDCA tokens for predefined periods in exchange for bonuses. There is also an option for additional bonus distribution during the staking period in USDT and BDCA.
BitDCA engaged Ackee Blockchain Security to perform a security review of BitDCA Staking contracts with a total time donation of 6 engineering days in a period between June 23 and July 3, 2025.
A second, fix review was performed between August 14 and August 15, 2025.
A third, fix review with a time donation of 1 engineering day was then performed to address unresolved issues from the previous revision.
METHODOLOGY
- Verification of technical specification
The audit scope is confirmed with the client, and auditors are onboarded to the project. Provided documentation is reviewed and compared to the audited system. - Tool-based analysis
A deep check with Solidity static analysis tool Wake along with with the Solidity (Wake) extension is performed, flagging potential vulnerabilities for further analysis early in the process. - Manual code review
Auditors manually check the code line by line, identifying vulnerabilities and code quality issues. The main focus is on recognizing potential edge cases and project-specific risks. - Local deployment and hacking
Contracts are deployed in a local Wake environment, where targeted attempts to exploit vulnerabilities are made. The contracts’ resilience against various attack vectors is evaluated. - Unit and fuzz testing
Unit tests are run to verify expected system behavior. Additional unit or fuzz tests may be written using Wake Framework if any coverage gaps are identified. The goal is to verify the system’s stability under real-world conditions and ensure robustness against both expected and unexpected inputs.
We began our review using static analysis tools, including Wake. We then took a deep dive into the logic of the contracts. For testing and fuzzing, we used Wake Framework. The Staking contract had an integration with an out-of-scope contract (Presale.sol) which was treated as a black box for the review purposes. During the review, we paid special attention to:
- ensuring the arithmetic of the system is correct;
- checking the fairness of the reward distribution;
- ensuring the staking process matches the expected behavior;
- detecting possible reentrancies in the code;
- ensuring access controls are not too relaxed or too strict; and
- looking for common issues such as data validation.
SCOPE
The audit was performed on commit c62d3dd in a private repository and the scope was the following:
Staking.sol; andStakingNFT.sol
Revision 1.1 was performed between August 14 and August 15, 2025 on commit 522ad96, with the scope the fixes of the previous revision.
Revision 2.0 was performed on commit c05674c, with the scope the unresolved issues from the previous revision.
FINDINGS
The classification of a security finding is determined by two ratings: impact and likelihood. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as medium severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the Warning or Informational severity ratings.
Our review resulted in 25 findings, ranging from Warning to High severity. The most severe finding was H2, which would have malformed the reward distribution. BitDCA have fixed all findings except for W3, which has been acknowledged as an intended aspect of the protocol’s business design. Find BitDCA’s statement on W3 along with full finding details per revision in the audit report PDF linked below.
Critical severity
No critical severity issues were found.
High severity
H1: Inverted logic in NFT transfer hook
H2: The distributeRewards function is flawed
H3: The project is not compatible with smart accounts
Medium severity
M1: Hardcoded decimal assumptions
M2: Stake amount restriction can be bypassed
Low severity
L1: Unsafe ERC20 operations
L2: Inconsistent access control
L3: Max stake amount can be exceeded
L4: Missing events for critical state changes
L5: Missing pause modifier on reward distribution
L6: Mint function is performing safe mint
Warning severity
W1: Affiliate program integration
W2: Insufficient data validation
W3: Potential lack of funds
W4: Potential reentrancy due to NFT hook
W5: Uninitialized variables and roles
W6: Unknown swap conditions
W7: Potential price manipulation on rewards distribution
Informational severity
I1: Code duplication
I2: Division by zero in reward calculation
I3: Ambiguous error messages
I4: Use of magic numbers
I5: Missing documentation
I6: Typos
I7: Unused variables
TRUST MODEL
The admin has excessive powers across all contracts, creating a potential single point of failure. The admin can change critical parameters, pause/unpause at will, modify tier parameters that affect user funds, and withdraw all tokens at any time via the rescueToken function. The contracts can be also upgraded to different implementations.
CONCLUSION
Ackee Blockchain Security recommended BitDCA to:
- create documentation for the codebase;
- use oracles for price calculation during rewards distribution;
- define a specification for the distribution function and adjust the logic to match it;
- create a comprehensive test suite;
- simulate distribution transactions before executing them; and
- address all identified issues.
Ackee Blockchain Security’s full BitDCA Staking Contracts audit report can be found here.
We were delighted to audit BitDCA and look forward to working with them again.
