Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

User can still call `claimReward` even if they have claimed last epoch

y4y

Summary

The claimReward function's comment section stated that users who have claimed from the last epoch cannot claim reward again, but this check doesn't work.

Vulnerability Details

Here is claimReward:

function claimReward(bool _isClaimEarly)

external

checkEpochRollover

redeemPendingRewards

returns (uint256 rewardAmount, uint256 penaltyAmount)

{

//CHECK

UserData storage ud = userData[msg.sender];

// do not allow to claimReward while user have pending claimReceipt

// or user have claimed from the last epoch

if (

claimReceipts[msg.sender].requestEpoch > 0

|| claimReceipts[msg.sender].requestEpoch >= currentEpoch - 1

) revert ClaimTooEarly();

We see from the comments, that if an user have requested a claim, he cannot claim another one, also if he has claimed from the last epoch, he will be denied as well. However, if we look at completeClaimRequest:

function completeClaimRequest()

external

checkEpochRollover

redeemPendingRewards

returns (uint256 rewardAmount)

{

ClaimReceipt memory cr = claimReceipts[msg.sender];

//CHECK

if (cr.requestEpoch < 1) revert ClaimReceiptNotFound();

// to complete claim receipt, user must wait for at least 3 epochs

if (currentEpoch - cr.requestEpoch <= claimCycle) revert CompleteRequestTooEarly();

//EFFECT

rewardAmount = cr.amount;

userData[msg.sender].unclaimedRewards -= rewardAmount;

totalRewards -= rewardAmount;

delete claimReceipts[msg.sender];

//INTERACT

fjordToken.safeTransfer(msg.sender, rewardAmount);

emit RewardClaimed(msg.sender, rewardAmount);

}

When a request is fulfilled, its entry is deleted, which means there will be no record to tell if the user has claimed reward in the last epoch or not. Thus the enforement is vague.

Impact

Users who has claimed last round, can still request a new claim request. Breaking the protocol's invariant.

Tools Used

Manual review

Recommendations

Add a new map to store last user's successful claim, and if user has claimed in the last epoch, revert.

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.