First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

In Staking.sol::claimRewards the user gets "cheated" out of staked time by `lastClaim[msg.sender] = block.timestamp;`.

bigBagBoogy

Summary

When a user claims staking rewards just shy of 2 weeks, she'll get 1 token and has the surplus time (over 1 week) reset to "0"

Impact

The impact of the issue is that users claiming staking rewards just shy of two weeks (or any amount of weeks) will receive only one token, effectively losing the surplus time (over one week) as it resets to "0". This results in a loss of potential rewards for users who stake for periods just under two weeks, which may lead to dissatisfaction among users and impact the overall fairness and attractiveness of the staking mechanism.

Proof of Concept

Please paste this test at the bottom in StakingTest.t.sol and run: forge test --mt test_claimingAfter13daysBurns6daysOfStaking -vvvvv

function test_claimingAfter13daysBurns6daysOfStaking() public {

_depositTokenToStake(1 ether);

uint256 almost2weeks = 2 weeks - 1 seconds;

console2.log("almost2weeks: ", almost2weeks); // 1209599

vm.warp(almost2weeks); // 1209599

vm.startPrank(soulmate1);

console2.log("last claim: ", stakingContract.lastClaim(soulmate1));

stakingContract.claimRewards();

console2.log("soulmate1's lovetoken balance: ", loveToken.balanceOf(soulmate1)); // 1

console2.log("last claim: ", stakingContract.lastClaim(soulmate1));

vm.warp(almost2weeks + 6 days); // now the user is staking for 20+ days

vm.expectRevert();

stakingContract.claimRewards(); // no, even after 20+ days the user can't claim a second token, because she minted at the "wrong" moment.

console2.log("soulmate1's lovetoken balance: ", loveToken.balanceOf(soulmate1)); // 1

console2.log("last claim: ", stakingContract.lastClaim(soulmate1));

}

Tools Used

manual review

Recommendations

Update last claim time by adding 1 week for each week staked

+ lastClaim[msg.sender] += 1 weeks * timeInWeeksSinceLastClaim;

- lastClaim[msg.sender] = block.timestamp;

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.