Web3 Development
Building a Staking Protocol with Reward Distribution
TL;DR
Building a staking protocol that distributes rewards fairly and gas-efficiently is one of the most common DeFi primitives — and one of the easiest to get wrong. The naive approach of iterating over all stakers to distribute rewards does not scale. The correct approach is the reward index pattern (also called the reward-per-token accumulator), which lets you calculate any staker's earned rewards in O(1) time regardless of how many participants exist. I have built staking contracts for DeFi clients through Terra Labz↗ and this article walks through the exact implementation I use — from the core reward math to compound staking, multi-token rewards, security hardening, and fuzz testing with Foundry. You will get a complete, production-quality Solidity contract you can deploy. If you need a custom staking protocol built for your project, check out my services.
Staking Architecture
Every staking protocol has the same fundamental job: users lock tokens, and in return they earn rewards proportional to their share of the total staked amount over time. The challenge is doing this without burning obscene amounts of gas.
I have seen three approaches in the wild:
- Push-based distribution. An admin calls a function that loops through every staker and sends them their share. This is the worst option. If you have 10,000 stakers, that transaction will cost more gas than anyone can afford — and it will probably exceed the block gas limit entirely.
- Snapshot-based distribution. Take periodic snapshots of balances and distribute off-chain or in batches. This works for airdrops, but not for continuous staking rewards. The granularity is too coarse, and it creates MEV opportunities around snapshot timing.
- Reward index pattern (pull-based). Maintain a global accumulator that tracks rewards-per-token-staked. Each user's pending rewards are calculated on-demand by comparing the current global index to the index at their last interaction. This is the correct approach. It is O(1) per user regardless of total staker count, it handles continuous reward streams, and it is gas-efficient.
The reward index pattern is what Synthetix popularized, what Compound uses for COMP distribution, and what every serious staking protocol has adopted since. It is the approach I use for all client work.
Here is the mental model. Imagine you have a pool with 1,000 tokens staked total, and 100 reward tokens arrive. The reward-per-token increases by 100 / 1,000 = 0.1. If Alice had 200 tokens staked, her pending reward is 200 * 0.1 = 20 tokens. No iteration required. No loops. Just multiplication.
Architecture Overview:
StakingVault.sol # Core staking logic + reward distribution
- stake() # Deposit tokens, update reward state
- withdraw() # Remove tokens, update reward state
- claimRewards() # Pull accumulated rewards
- compound() # Re-stake earned rewards (if same token)
- notifyRewardAmount() # Admin: inject new reward tokens
RewardToken.sol # ERC-20 reward token (or external)
StakingToken.sol # ERC-20 token users stake (or external)The Reward Index Pattern
The reward index pattern relies on two key values:
- `rewardPerTokenStored` — a global accumulator that increases every time rewards accrue. It represents the total rewards earned per single staked token since the protocol launched.
- `userRewardPerTokenPaid[user]` — captures the value of
rewardPerTokenStoredat the time of a user's last interaction (stake, withdraw, or claim).
The pending reward for any user is:
pendingReward = stakedBalance * (rewardPerTokenStored - userRewardPerTokenPaid) + storedRewardsEvery time a user interacts with the contract, you:
- Update the global
rewardPerTokenStoredbased on time elapsed and reward rate. - Calculate the user's pending rewards and store them.
- Set
userRewardPerTokenPaid[user]to the currentrewardPerTokenStored.
This is the Synthetix StakingRewards pattern, and I have refined it over multiple production deployments. The math is elegant:
rewardPerToken = rewardPerTokenStored + (
(lastTimeRewardApplicable - lastUpdateTime) * rewardRate * 1e18 / totalStaked
)The 1e18 scaling factor is critical — without it, you lose precision on small reward rates. Solidity has no floating-point numbers, so we use fixed-point math with 18 decimal places. This matches the standard ERC-20 decimal precision and prevents rounding errors from eating stakers' rewards.
One subtlety that catches people: lastTimeRewardApplicable is the minimum of block.timestamp and periodFinish. This prevents rewards from accruing beyond the designated reward period. Without this check, your contract would calculate phantom rewards that do not exist.
Writing the Staking Contract
Here is the complete staking contract. I will walk through each section after the full listing.
// SPDX-License-Identifier: MIT
pragma solidity 0.8.24;
import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
import {SafeERC20} from "@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol";
import {ReentrancyGuard} from "@openzeppelin/contracts/utils/ReentrancyGuard.sol";
import {Ownable} from "@openzeppelin/contracts/access/Ownable.sol";
import {Pausable} from "@openzeppelin/contracts/utils/Pausable.sol";
/// @title StakingVault
/// @author Uvin Vindula (@IAMUVIN)
/// @notice Gas-efficient staking vault with reward distribution using
/// the reward index (reward-per-token accumulator) pattern.
/// @dev Based on the Synthetix StakingRewards pattern with additional
/// safety features: pause, compound, minimum stake, and cooldown.
contract StakingVault is ReentrancyGuard, Ownable, Pausable {
using SafeERC20 for IERC20;
// ──────────────────────────────────────────────
// State
// ──────────────────────────────────────────────
IERC20 public immutable stakingToken;
IERC20 public immutable rewardToken;
uint256 public rewardRate;
uint256 public periodFinish;
uint256 public lastUpdateTime;
uint256 public rewardPerTokenStored;
uint256 public totalStaked;
uint256 public minimumStake;
uint256 public cooldownPeriod;
mapping(address => uint256) public stakedBalance;
mapping(address => uint256) public userRewardPerTokenPaid;
mapping(address => uint256) public rewards;
mapping(address => uint256) public lastStakeTime;
// ──────────────────────────────────────────────
// Events
// ──────────────────────────────────────────────
event Staked(address indexed user, uint256 amount);
event Withdrawn(address indexed user, uint256 amount);
event RewardClaimed(address indexed user, uint256 amount);
event RewardAdded(uint256 amount, uint256 duration);
event Compounded(address indexed user, uint256 amount);
event CooldownUpdated(uint256 newCooldown);
event MinimumStakeUpdated(uint256 newMinimum);
// ──────────────────────────────────────────────
// Errors
// ──────────────────────────────────────────────
error ZeroAmount();
error BelowMinimumStake();
error CooldownNotMet();
error InsufficientBalance();
error RewardPeriodNotFinished();
error TokensCannotBeSame();
error NoRewardsToClaim();
// ──────────────────────────────────────────────
// Constructor
// ──────────────────────────────────────────────
constructor(
address _stakingToken,
address _rewardToken,
uint256 _minimumStake,
uint256 _cooldownPeriod
) Ownable(msg.sender) {
if (_stakingToken == _rewardToken) revert TokensCannotBeSame();
stakingToken = IERC20(_stakingToken);
rewardToken = IERC20(_rewardToken);
minimumStake = _minimumStake;
cooldownPeriod = _cooldownPeriod;
}
// ──────────────────────────────────────────────
// Modifiers
// ──────────────────────────────────────────────
modifier updateReward(address account) {
rewardPerTokenStored = rewardPerToken();
lastUpdateTime = lastTimeRewardApplicable();
if (account != address(0)) {
rewards[account] = earned(account);
userRewardPerTokenPaid[account] = rewardPerTokenStored;
}
_;
}
// ──────────────────────────────────────────────
// View Functions
// ──────────────────────────────────────────────
function lastTimeRewardApplicable() public view returns (uint256) {
return block.timestamp < periodFinish
? block.timestamp
: periodFinish;
}
function rewardPerToken() public view returns (uint256) {
if (totalStaked == 0) {
return rewardPerTokenStored;
}
return rewardPerTokenStored + (
(lastTimeRewardApplicable() - lastUpdateTime)
* rewardRate
* 1e18
/ totalStaked
);
}
function earned(address account) public view returns (uint256) {
return (
stakedBalance[account]
* (rewardPerToken() - userRewardPerTokenPaid[account])
/ 1e18
) + rewards[account];
}
function getRewardForDuration() external view returns (uint256) {
return rewardRate * (periodFinish - lastUpdateTime);
}
// ──────────────────────────────────────────────
// Core Functions
// ──────────────────────────────────────────────
function stake(uint256 amount)
external
nonReentrant
whenNotPaused
updateReward(msg.sender)
{
if (amount == 0) revert ZeroAmount();
if (stakedBalance[msg.sender] + amount < minimumStake) {
revert BelowMinimumStake();
}
totalStaked += amount;
stakedBalance[msg.sender] += amount;
lastStakeTime[msg.sender] = block.timestamp;
stakingToken.safeTransferFrom(msg.sender, address(this), amount);
emit Staked(msg.sender, amount);
}
function withdraw(uint256 amount)
external
nonReentrant
updateReward(msg.sender)
{
if (amount == 0) revert ZeroAmount();
if (amount > stakedBalance[msg.sender]) {
revert InsufficientBalance();
}
if (block.timestamp < lastStakeTime[msg.sender] + cooldownPeriod) {
revert CooldownNotMet();
}
totalStaked -= amount;
stakedBalance[msg.sender] -= amount;
stakingToken.safeTransfer(msg.sender, amount);
emit Withdrawn(msg.sender, amount);
}
function claimRewards()
external
nonReentrant
updateReward(msg.sender)
{
uint256 reward = rewards[msg.sender];
if (reward == 0) revert NoRewardsToClaim();
rewards[msg.sender] = 0;
rewardToken.safeTransfer(msg.sender, reward);
emit RewardClaimed(msg.sender, reward);
}
function exit() external {
withdraw(stakedBalance[msg.sender]);
claimRewards();
}
// ──────────────────────────────────────────────
// Admin Functions
// ──────────────────────────────────────────────
function notifyRewardAmount(uint256 amount, uint256 duration)
external
onlyOwner
updateReward(address(0))
{
if (block.timestamp < periodFinish) {
uint256 remaining = periodFinish - block.timestamp;
uint256 leftover = remaining * rewardRate;
rewardRate = (amount + leftover) / duration;
} else {
rewardRate = amount / duration;
}
lastUpdateTime = block.timestamp;
periodFinish = block.timestamp + duration;
rewardToken.safeTransferFrom(msg.sender, address(this), amount);
emit RewardAdded(amount, duration);
}
function setCooldownPeriod(uint256 _cooldownPeriod) external onlyOwner {
cooldownPeriod = _cooldownPeriod;
emit CooldownUpdated(_cooldownPeriod);
}
function setMinimumStake(uint256 _minimumStake) external onlyOwner {
minimumStake = _minimumStake;
emit MinimumStakeUpdated(_minimumStake);
}
function pause() external onlyOwner {
_pause();
}
function unpause() external onlyOwner {
_unpause();
}
}Let me break down the design decisions.
Immutable token addresses. The staking and reward tokens are set once at deployment and cannot be changed. This eliminates an entire class of admin-key attacks where an owner swaps the token address to drain funds.
The `updateReward` modifier. This is the heart of the pattern. Every function that changes a user's stake or claims rewards passes through this modifier first. It updates the global accumulator, calculates what the user has earned, stores it, and snapshots the current index. This ensures no rewards are lost between interactions.
SafeERC20. Always. Some tokens do not return a boolean on transfer, and without SafeERC20 your contract will silently fail. I have seen this bug drain six figures from a production protocol.
Custom errors over require strings. Custom errors cost less gas than string-based reverts. At current L1 gas prices, this saves roughly 200 gas per failed transaction. It adds up.
Deposit and Withdraw Logic
The stake function follows the Checks-Effects-Interactions pattern religiously:
- Checks — Verify the amount is non-zero and meets the minimum stake requirement.
- Effects — Update
totalStaked,stakedBalance, andlastStakeTimebefore any external call. - Interactions — Transfer tokens from the user to the contract as the last operation.
This ordering is non-negotiable. If you put the safeTransferFrom before updating state, you open yourself to reentrancy attacks. Yes, even with nonReentrant. Defense in depth means you do not rely on a single protection mechanism.
The withdraw function includes a cooldown check. This is not just a UX feature — it is a security mechanism. Without a cooldown, an attacker could flash-loan tokens, stake them at the start of a reward period, claim a disproportionate share of rewards, and withdraw in the same block. The cooldown forces a minimum commitment period.
I typically set cooldowns between 24 hours and 7 days depending on the protocol economics. For client projects, I model the optimal cooldown period based on the reward rate and expected TVL. Too short and you get flash-loan gaming. Too long and you hurt legitimate users who need liquidity.
The exit function is a convenience wrapper. Users can withdraw their full stake and claim rewards in a single transaction, saving gas on the second updateReward modifier execution.
Reward Calculation and Claiming
The reward calculation is where most staking bugs hide. Let me walk through the math with a concrete example.
Say we have:
rewardRate= 100 tokens per secondtotalStaked= 10,000 tokens- Alice staked 2,000 tokens at time T=0
- Bob staked 3,000 tokens at time T=50
At T=50 (Bob stakes):
rewardPerToken = 0 + (50 * 100 * 1e18 / 10,000) = 500_000_000_000_000 (0.0005e18)
Alice earned = 2,000 * 0.0005e18 / 1e18 = 1.0 token ... wait.Let me use cleaner numbers. With rewardRate = 1e18 (1 token per second at 18 decimals):
rewardRate = 1e18
totalStaked = 10_000e18
At T=50:
rewardPerToken = (50 * 1e18 * 1e18) / 10_000e18 = 5e15
Alice earned = 2_000e18 * 5e15 / 1e18 = 10e18 = 10 tokensAlice earned 10 tokens from a 50-second period, holding 20% of the pool. That is 20% of 50 tokens = 10 tokens. The math checks out.
At T=50, Bob joins with 3,000 tokens. Total staked is now 13,000.
At T=100:
rewardPerToken = 5e15 + (50 * 1e18 * 1e18) / 13_000e18 = 5e15 + 3.846e15 = 8.846e15
Alice earned = 2_000e18 * (8.846e15 - 0) / 1e18 = 17.692 tokens
Bob earned = 3_000e18 * (8.846e15 - 5e15) / 1e18 = 11.538 tokens
Total distributed = 29.23 tokens (out of 100 total rewards)Wait — 100 seconds at 1 token/second = 100 tokens total. Alice gets 10 (first 50s alone) + 7.69 (next 50s as 2/13 of pool) = 17.69. Bob gets 11.54 (50s as 3/13 of pool). Total = 29.23. The remaining 70.77 tokens went to the other 8,000 staked tokens held by other participants. The math is sound.
The claimRewards function follows the same CEI pattern: check that rewards exist, zero out the stored rewards (effect), then transfer (interaction). Setting rewards[msg.sender] = 0 before the transfer is critical — it prevents reentrancy from double-claiming.
Compound Staking
For protocols where the staking token and reward token are the same (like staking a governance token that also earns more governance tokens), compounding is a powerful feature. Here is how I implement it as a separate contract variant:
/// @title CompoundableStakingVault
/// @notice Extension that allows re-staking earned rewards when
/// stakingToken == rewardToken.
contract CompoundableStakingVault is ReentrancyGuard, Ownable, Pausable {
using SafeERC20 for IERC20;
IERC20 public immutable token; // Same token for staking and rewards
uint256 public rewardRate;
uint256 public periodFinish;
uint256 public lastUpdateTime;
uint256 public rewardPerTokenStored;
uint256 public totalStaked;
mapping(address => uint256) public stakedBalance;
mapping(address => uint256) public userRewardPerTokenPaid;
mapping(address => uint256) public rewards;
event Compounded(address indexed user, uint256 amount);
modifier updateReward(address account) {
rewardPerTokenStored = _rewardPerToken();
lastUpdateTime = _lastTimeRewardApplicable();
if (account != address(0)) {
rewards[account] = _earned(account);
userRewardPerTokenPaid[account] = rewardPerTokenStored;
}
_;
}
function compound()
external
nonReentrant
whenNotPaused
updateReward(msg.sender)
{
uint256 reward = rewards[msg.sender];
if (reward == 0) revert("Nothing to compound");
rewards[msg.sender] = 0;
totalStaked += reward;
stakedBalance[msg.sender] += reward;
emit Compounded(msg.sender, reward);
}
function _rewardPerToken() internal view returns (uint256) {
if (totalStaked == 0) return rewardPerTokenStored;
return rewardPerTokenStored + (
(_lastTimeRewardApplicable() - lastUpdateTime)
* rewardRate * 1e18 / totalStaked
);
}
function _lastTimeRewardApplicable() internal view returns (uint256) {
return block.timestamp < periodFinish
? block.timestamp
: periodFinish;
}
function _earned(address account) internal view returns (uint256) {
return (
stakedBalance[account]
* (_rewardPerToken() - userRewardPerTokenPaid[account])
/ 1e18
) + rewards[account];
}
}The key insight with compounding: no external token transfer is needed. The reward tokens are already sitting in the contract. You simply move them from the user's "unclaimed rewards" balance to their "staked" balance. This saves significant gas — no ERC-20 transfer call, no approval needed.
I have seen protocols that implement compounding by claiming rewards to the user, then requiring a separate stake call. That approach costs roughly 80,000 extra gas per compound operation due to two ERC-20 transfers instead of zero. Over thousands of compounds across your user base, that is real money wasted.
For protocols where the staking and reward tokens differ, you would need an on-chain swap (via a DEX router) to convert the reward token into the staking token. That is significantly more complex and introduces slippage concerns. I only recommend on-chain auto-compounding for same-token setups.
Multi-Token Staking
Some protocols need to distribute multiple reward tokens simultaneously — for example, a liquidity mining program that pays both a protocol token and ETH fees. Here is the pattern I use:
/// @notice Multi-reward staking — distributes multiple reward tokens
/// simultaneously using independent reward indexes per token.
contract MultiRewardStaking is ReentrancyGuard, Ownable {
using SafeERC20 for IERC20;
IERC20 public immutable stakingToken;
uint256 public totalStaked;
struct RewardState {
uint256 rewardRate;
uint256 periodFinish;
uint256 lastUpdateTime;
uint256 rewardPerTokenStored;
}
address[] public rewardTokens;
mapping(address => RewardState) public rewardState;
mapping(address => mapping(address => uint256)) public userRewardPerTokenPaid;
mapping(address => mapping(address => uint256)) public rewards;
mapping(address => uint256) public stakedBalance;
mapping(address => bool) public isRewardToken;
error TokenAlreadyAdded();
error TokenNotRegistered();
function addRewardToken(address token) external onlyOwner {
if (isRewardToken[token]) revert TokenAlreadyAdded();
rewardTokens.push(token);
isRewardToken[token] = true;
}
modifier updateAllRewards(address account) {
for (uint256 i = 0; i < rewardTokens.length; i++) {
address token = rewardTokens[i];
RewardState storage state = rewardState[token];
state.rewardPerTokenStored = _rewardPerToken(token);
state.lastUpdateTime = _lastTimeApplicable(token);
if (account != address(0)) {
rewards[token][account] = _earned(token, account);
userRewardPerTokenPaid[token][account] =
state.rewardPerTokenStored;
}
}
_;
}
function stake(uint256 amount)
external
nonReentrant
updateAllRewards(msg.sender)
{
totalStaked += amount;
stakedBalance[msg.sender] += amount;
stakingToken.safeTransferFrom(msg.sender, address(this), amount);
}
function claimAllRewards()
external
nonReentrant
updateAllRewards(msg.sender)
{
for (uint256 i = 0; i < rewardTokens.length; i++) {
address token = rewardTokens[i];
uint256 reward = rewards[token][msg.sender];
if (reward > 0) {
rewards[token][msg.sender] = 0;
IERC20(token).safeTransfer(msg.sender, reward);
}
}
}
function _rewardPerToken(address token)
internal
view
returns (uint256)
{
if (totalStaked == 0) return rewardState[token].rewardPerTokenStored;
RewardState storage state = rewardState[token];
return state.rewardPerTokenStored + (
(_lastTimeApplicable(token) - state.lastUpdateTime)
* state.rewardRate * 1e18 / totalStaked
);
}
function _lastTimeApplicable(address token)
internal
view
returns (uint256)
{
return block.timestamp < rewardState[token].periodFinish
? block.timestamp
: rewardState[token].periodFinish;
}
function _earned(address token, address account)
internal
view
returns (uint256)
{
return (
stakedBalance[account]
* (_rewardPerToken(token) - userRewardPerTokenPaid[token][account])
/ 1e18
) + rewards[token][account];
}
}Each reward token gets its own independent RewardState — its own rate, period, and accumulator. The updateAllRewards modifier loops through all reward tokens, but the gas cost scales linearly with the number of reward tokens, not the number of stakers. In practice, protocols rarely have more than 3-4 reward tokens, so this loop is negligible.
The alternative approach (used by some protocols) is to create separate staking contracts per reward token. I do not recommend this. It forces users to make multiple staking transactions, fragments liquidity, and creates accounting nightmares. One staking contract with multiple reward streams is cleaner.
Security Considerations
Staking contracts hold user funds. The security bar is mainnet-or-nothing. Here are the specific attack vectors I check for on every staking protocol I build:
1. Reward rate manipulation. If notifyRewardAmount can be called by anyone, an attacker can set the reward rate to zero or drain the reward pool by setting an extremely high rate for a short duration. Always restrict this to the owner (or better, a timelock-controlled multi-sig).
2. Flash loan attacks on reward distribution. Without a cooldown period, an attacker deposits a massive amount via flash loan at the start of a reward period, earns a disproportionate share in a single block, and withdraws. The cooldown period in my implementation prevents this. Some protocols also use a "warm-up" period where newly staked tokens earn reduced rewards for the first N blocks.
3. Rounding errors favoring attackers. The division in rewardPerToken always rounds down in Solidity. Over millions of transactions, these rounding errors can accumulate. I handle this by using 1e18 precision for the accumulator and by keeping a small dust balance in the contract to absorb rounding losses. Never let rounding errors compound to exploitable amounts.
4. Reward token balance vs accounting mismatch. If the contract's actual reward token balance falls below the total owed rewards, late claimers get nothing. The notifyRewardAmount function must transfer actual tokens, not just update accounting. I enforce this by calling safeTransferFrom in the same function that sets the reward rate.
5. Re-entrancy through malicious ERC-20 tokens. Some tokens have transfer hooks (ERC-777, tokens with callbacks). Even with nonReentrant, I follow CEI pattern as a second layer of defense. State changes always happen before external calls.
6. Pausing and emergency withdrawal. Every production staking contract needs a pause mechanism. If a vulnerability is discovered, you need to stop deposits immediately. My contracts inherit Pausable from OpenZeppelin, with the pause and unpause functions restricted to the owner. For an emergency withdrawal function that bypasses reward calculations, I recommend a separate emergencyWithdraw that returns staked tokens without claiming rewards:
function emergencyWithdraw() external nonReentrant {
uint256 amount = stakedBalance[msg.sender];
if (amount == 0) revert ZeroAmount();
totalStaked -= amount;
stakedBalance[msg.sender] = 0;
rewards[msg.sender] = 0;
stakingToken.safeTransfer(msg.sender, amount);
emit Withdrawn(msg.sender, amount);
}7. Front-running reward notifications. When an admin calls notifyRewardAmount, a front-runner can stake just before the transaction, capturing an unfair share of the first reward block. Mitigations include using commit-reveal for reward notifications or setting a minimum stake duration before rewards begin accruing.
Testing with Foundry
I test every staking contract with Foundry because its fuzz testing capabilities catch edge cases that unit tests miss. Here is my test structure:
// SPDX-License-Identifier: MIT
pragma solidity 0.8.24;
import {Test, console2} from "forge-std/Test.sol";
import {StakingVault} from "../src/StakingVault.sol";
import {MockERC20} from "./mocks/MockERC20.sol";
contract StakingVaultTest is Test {
StakingVault public vault;
MockERC20 public stakingToken;
MockERC20 public rewardToken;
address public alice = makeAddr("alice");
address public bob = makeAddr("bob");
address public owner = makeAddr("owner");
uint256 constant INITIAL_BALANCE = 100_000e18;
uint256 constant REWARD_AMOUNT = 10_000e18;
uint256 constant REWARD_DURATION = 7 days;
uint256 constant MIN_STAKE = 100e18;
uint256 constant COOLDOWN = 1 days;
function setUp() public {
vm.startPrank(owner);
stakingToken = new MockERC20("Staking", "STK");
rewardToken = new MockERC20("Reward", "RWD");
vault = new StakingVault(
address(stakingToken),
address(rewardToken),
MIN_STAKE,
COOLDOWN
);
stakingToken.mint(alice, INITIAL_BALANCE);
stakingToken.mint(bob, INITIAL_BALANCE);
rewardToken.mint(owner, REWARD_AMOUNT);
rewardToken.approve(address(vault), REWARD_AMOUNT);
vault.notifyRewardAmount(REWARD_AMOUNT, REWARD_DURATION);
vm.stopPrank();
}
function test_StakeAndEarnRewards() public {
vm.startPrank(alice);
stakingToken.approve(address(vault), 1000e18);
vault.stake(1000e18);
vm.stopPrank();
// Advance time by half the reward period
vm.warp(block.timestamp + REWARD_DURATION / 2);
uint256 earned = vault.earned(alice);
// Alice is the only staker — should earn ~50% of total rewards
// Allow 0.1% tolerance for rounding
assertApproxEqRel(earned, REWARD_AMOUNT / 2, 0.001e18);
}
function test_MultipleStakersProportionalRewards() public {
// Alice stakes 1000, Bob stakes 3000
vm.prank(alice);
stakingToken.approve(address(vault), 1000e18);
vm.prank(alice);
vault.stake(1000e18);
vm.prank(bob);
stakingToken.approve(address(vault), 3000e18);
vm.prank(bob);
vault.stake(3000e18);
vm.warp(block.timestamp + REWARD_DURATION);
uint256 aliceEarned = vault.earned(alice);
uint256 bobEarned = vault.earned(bob);
// Alice: 25%, Bob: 75%
assertApproxEqRel(aliceEarned, REWARD_AMOUNT / 4, 0.001e18);
assertApproxEqRel(bobEarned, REWARD_AMOUNT * 3 / 4, 0.001e18);
}
function test_WithdrawBeforeCooldown_Reverts() public {
vm.startPrank(alice);
stakingToken.approve(address(vault), 1000e18);
vault.stake(1000e18);
vm.expectRevert(StakingVault.CooldownNotMet.selector);
vault.withdraw(500e18);
vm.stopPrank();
}
function test_BelowMinimumStake_Reverts() public {
vm.startPrank(alice);
stakingToken.approve(address(vault), 50e18);
vm.expectRevert(StakingVault.BelowMinimumStake.selector);
vault.stake(50e18);
vm.stopPrank();
}
// ── Fuzz Tests ──────────────────────────────────
function testFuzz_StakeAmount(uint256 amount) public {
amount = bound(amount, MIN_STAKE, INITIAL_BALANCE);
vm.startPrank(alice);
stakingToken.approve(address(vault), amount);
vault.stake(amount);
vm.stopPrank();
assertEq(vault.stakedBalance(alice), amount);
assertEq(vault.totalStaked(), amount);
}
function testFuzz_RewardsNeverExceedTotal(
uint256 aliceAmount,
uint256 bobAmount,
uint256 timeElapsed
) public {
aliceAmount = bound(aliceAmount, MIN_STAKE, INITIAL_BALANCE / 2);
bobAmount = bound(bobAmount, MIN_STAKE, INITIAL_BALANCE / 2);
timeElapsed = bound(timeElapsed, 1, REWARD_DURATION);
vm.prank(alice);
stakingToken.approve(address(vault), aliceAmount);
vm.prank(alice);
vault.stake(aliceAmount);
vm.prank(bob);
stakingToken.approve(address(vault), bobAmount);
vm.prank(bob);
vault.stake(bobAmount);
vm.warp(block.timestamp + timeElapsed);
uint256 totalEarned = vault.earned(alice) + vault.earned(bob);
// Total earned must never exceed total rewards
assertLe(totalEarned, REWARD_AMOUNT);
}
// ── Invariant: total staked == sum of individual balances ────
function testFuzz_TotalStakedInvariant(
uint256 stakeA,
uint256 stakeB
) public {
stakeA = bound(stakeA, MIN_STAKE, INITIAL_BALANCE / 2);
stakeB = bound(stakeB, MIN_STAKE, INITIAL_BALANCE / 2);
vm.prank(alice);
stakingToken.approve(address(vault), stakeA);
vm.prank(alice);
vault.stake(stakeA);
vm.prank(bob);
stakingToken.approve(address(vault), stakeB);
vm.prank(bob);
vault.stake(stakeB);
assertEq(
vault.totalStaked(),
vault.stakedBalance(alice) + vault.stakedBalance(bob)
);
}
}The key testing strategies:
- Proportional reward accuracy. Verify that stakers earn rewards proportional to their share. Use
assertApproxEqRelwith a small tolerance to account for integer division rounding. - Invariant: total rewards never exceed budget. No combination of stakes, withdrawals, and claims should allow more rewards to be distributed than were deposited. This is the single most important invariant for any staking protocol.
- Invariant: totalStaked equals sum of balances. If this invariant breaks, your accounting is wrong and someone can either drain the contract or get stuck.
- Cooldown enforcement. Verify that users cannot withdraw before the cooldown period expires.
- Boundary conditions. Fuzz with minimum stakes, maximum balances, zero elapsed time, and full duration elapsed.
I run fuzz tests with at least 10,000 iterations: forge test --fuzz-runs 10000. For production contracts, I go to 100,000 runs and add stateful invariant testing with Foundry's invariant test framework.
Gas Optimization
Gas matters for staking contracts because users interact frequently — staking, claiming, compounding. Here are the optimizations I apply:
1. Storage slot packing. The rewardRate, periodFinish, and lastUpdateTime values are all uint256. On L1 this costs 3 storage slots (3 * 20,000 gas for cold writes). If your values fit in smaller types, pack them:
// Packed into 2 storage slots instead of 3
uint128 public rewardRate; // Slot 1 (16 bytes)
uint64 public periodFinish; // Slot 1 (8 bytes)
uint64 public lastUpdateTime; // Slot 1 (8 bytes) — total: 32 bytesuint64 for timestamps gives you until the year 584 billion. uint128 for reward rate supports up to 3.4e38 — more than enough for any token with 18 decimals.
2. Minimize storage writes. The updateReward modifier writes to storage on every interaction. This is necessary for correctness, but you can reduce the cost by batching: the exit function combines withdraw and claimRewards, but each triggers updateReward separately. A gas-optimized version would combine them into a single internal function with one modifier execution.
3. Use `immutable` for constructor-set values. The stakingToken and rewardToken addresses are immutable, which means they are embedded in the contract bytecode rather than stored in storage. Reading an immutable costs 3 gas. Reading from storage costs 2,100 gas (cold) or 100 gas (warm). This alone saves ~4,000 gas per transaction.
4. Custom errors over strings. Already implemented in the contract above. Each custom error saves approximately 200 gas compared to a require with a string message.
5. Unchecked math where safe. In the withdraw function, totalStaked -= amount is safe because we already checked amount <= stakedBalance[msg.sender] and totalStaked >= stakedBalance[msg.sender] is an invariant. Wrapping this in unchecked saves approximately 150 gas per subtraction:
unchecked {
totalStaked -= amount;
stakedBalance[msg.sender] -= amount;
}Only use unchecked when you can formally prove the operation cannot overflow or underflow. If you are not sure, do not use it. The gas savings are not worth the security risk.
Gas benchmarks from a recent client project:
| Operation | Gas (unoptimized) | Gas (optimized) | Savings |
|---|---|---|---|
| stake | 112,400 | 89,200 | 20.6% |
| withdraw | 98,700 | 76,300 | 22.7% |
| claim | 87,100 | 68,500 | 21.3% |
| compound | 72,300 | 54,800 | 24.2% |
These numbers are from an L1 deployment. On L2s like Arbitrum or Base, the absolute costs are 10-50x lower, but the percentage savings remain the same. Optimizing still matters on L2 because it improves the user experience and reduces costs at scale.
Key Takeaways
- Use the reward index pattern. It is O(1) per user, gas-efficient, and battle-tested across billions of dollars of TVL. Never iterate over stakers.
- Follow Checks-Effects-Interactions. Every function that touches user funds must update state before making external calls. Add
nonReentrantas a second layer, not a replacement.
- Implement cooldown periods. They prevent flash-loan attacks on reward distribution. Model the optimal period based on your protocol's economics.
- Compound staking saves gas when tokens match. No external transfers needed — just move rewards from unclaimed to staked balance. This saves roughly 80,000 gas per operation.
- Multi-token rewards use independent accumulators. Each reward token gets its own
RewardState. The gas cost scales with reward token count, not staker count.
- Fuzz test your invariants. "Total rewards distributed never exceed total rewards deposited" and "totalStaked equals sum of all balances" are the two critical invariants. Run at least 10,000 fuzz iterations.
- Pack storage slots for gas savings. Using
uint128anduint64instead ofuint256where appropriate can save 20%+ on gas costs.
- Always include emergency withdrawal. Users must be able to recover their staked tokens even if the reward system breaks. This function should bypass all reward calculations.
If you are building a staking protocol and want production-grade smart contract development with security auditing, check out my services. I have built staking systems across Ethereum, Arbitrum, and Base for DeFi clients throughout Southeast Asia and the UK.
*Built by Uvin Vindula↗ — Web3 engineer, ethical hacker, and builder at the intersection of DeFi and real-world utility. Based between Sri Lanka and the UK. Follow my work at @IAMUVIN↗.*
Working on a Web3 or AI project?
Uvin Vindula
Web3 and AI engineer based in Sri Lanka and the UK. Author of The Rise of Bitcoin. Director of Blockchain and Software Solutions at Terra Labz. Founder of uvin.lk — Sri Lanka's Bitcoin education platform with 10,000+ learners.