Owner can change pointsPerEpoch at any time causing unfair points distribution to user
Vulnerability Details
In FjordPoints::setPointsPerEpoch the owner can update pointsPerEpoch at any time causing the owner to be able to change the points distributed just before an epoch ends.
looking at the checkDistribution modifier which includes distributePoints
the condition above in the distributePoints() implies that whenever epoch duration has NOT passed, then the owner can just freely update the pointsPerEpoch.
IMPORTANTLY, the updatePendingPoints modifier uses pointsPerToken variable which is calculated in distributePoints() of which in its caculation uses the current pointsPerEpoch (of which the owner can spoof)
https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordPoints.sol#L148
https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordPoints.sol#L242
PoC
The owner sets a high pointsPerEpoch to attract many stakers.
The stakers has been staking tokens in the protocol for 6 days now, and they are expecting many points.
On the end of the 7th day, the owner lowers the pointsPerEpoch.
A week has now passed, and points can now be distributed.
The stakers will get points according to the newly setpointsPerEpochwhich is lower than anticipated.
Impact
An malicious owner could set pointsPerEpoch high to attract stakers, then lower it just before the epoch ends to reduce the actual rewards distributed.
Tools Used
Manual review, Zed code editor
Recommendations
Implement a time delay for changes to pointsPerEpoch, so they only take effect in future epochs.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.