Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Penalty tokens will be locked

gajiknownnothing

Summary

The penalty tokens are subtracted from the totalRewards but are not added back to the reward pool or made withdrawable by the contract admin. As a result, these penalty tokens become inaccessible.

Vulnerability Details

When a user claims rewards and incurs a penalty, the penalty amount is subtracted from the totalRewards. This subtraction prevents the penalty tokens from being accounted for in the available reward pool for the next epoch:

File: FjordStaking.sol
616: function claimReward(bool _isClaimEarly)
...
650:>> totalRewards -= (rewardAmount + penaltyAmount);
651: userData[msg.sender].unclaimedRewards -= (rewardAmount + penaltyAmount);
652:
653: //INTERACT
654: fjordToken.safeTransfer(msg.sender, rewardAmount);

Additionally, the contract lacks a function to withdraw these locked penalty tokens, meaning they cannot be recovered.

Impact

The penalty tokens are locked.

Tools Used

vscode

Recommendations

Not subtract the penaltyAmount from totalRewards, so that the penaltyAmount tokens could be distributed in the next epoch.

- totalRewards -= (rewardAmount + penaltyAmount);
+ totalRewards -= rewardAmount;
Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.