Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Initiate`lastDistribution` to the contract deployment time causes inaccurate point distribution

gajiknownnothing

Summary

The lastDistribution variable in the FjordPoints contract is initialized to the contract deployment time. This can lead to inaccurate point distribution calculations if there is a significant delay between the contract deployment and the first token stake.

Vulnerability Details

The lastDistribution variable is set to block.timestamp at the time of contract deployment:

File: FjordPoints.sol

118: constructor() ERC20("BjordBoint", "BJB") {

119: owner = msg.sender;

120:>> lastDistribution = block.timestamp;

When the distributePoints() function is called, it calculates the number of weeks pending since the last distribution:

File: FjordPoints.sol

232: function distributePoints() public {

...

241:>> uint256 weeksPending = (block.timestamp - lastDistribution) / EPOCH_DURATION;

242: pointsPerToken =

243: pointsPerToken.add(weeksPending * (pointsPerEpoch.mul(PRECISION_18).div(totalStaked)));

244: totalPoints = totalPoints.add(pointsPerEpoch * weeksPending);

245: lastDistribution = lastDistribution + (weeksPending * 1 weeks);

If the first token stake occurs long after the contract deployment (e.g., 1 month later), the weeksPending calculation would return a value greater than 1. This would cause the pointsPerToken to accumulate points for multiple weeks, even though no tokens were staked during that time.

Impact

This issue leads to an unintended accumulation of points.

For example:

The FjordPoints contract is deployed on 2024/09/01
The first token stakes happens one month later
The weeksPending is 4
The pointsPerToken accumulates points of 4 weeks for the first token stake.

Tools Used

vscode

Recommendations

Initiate the lastDistribution in the distributePoints() function instead of the constructor, set the lastDistribution to block.timestamp if it is zero.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.