Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Valid

Fjord Points rewards are sandwichable

amarfares

Summary

100e18 Fjord Points are distributed each epoch (weekly) to stakers in the protocol. Since there are no fees or timelock associated with staking in order to receive a portion of these rewards, a malicious user can sandwich the distribution.

Vulnerability Details

Whenever a user stakes or unstakes in the FjordStaking.sol contract, it invokes the FjordPoints.sol contract to also keep count of a user's stake:

function onStaked(address user, uint256 amount)
external
onlyStaking
checkDistribution
updatePendingPoints(user)
{
UserInfo storage userInfo = users[user];
userInfo.stakedAmount = userInfo.stakedAmount.add(amount);
totalStaked = totalStaked.add(amount);
emit Staked(user, amount);
}

On each stake/unstake there are 2 modifiers:

  1. checkDistribution to check if the epoch timer has passed and it's time to distribute epoch rewards for the week

  2. updatePendingPoints to update any pending user points

The issue is that since there are no fees associated, nor a minimum amount of time required to stake in order to receive rewards, a malicious user can sandwich the tx that distributes the weekly epoch rewards and unfairly steal rewards. Not only is the protocol deploying on mainnet so MEV is possible, but the exact time at which the rewards are distributed each week is also easy to figure out:

if (block.timestamp < lastDistribution + EPOCH_DURATION) {
return;
}
...
lastDistribution = lastDistribution + (weeksPending * 1 weeks);
...

Attack would be such:

  1. Malicious user calculates the timestamp at which the weekly rewards are distributed

  2. They see the transaction to distributePoints()

  3. Sandwich the tx by staking as much as they can and steal rewards distribution

Although FjordStaking.sol has a cooldown period of 3 epochs before you can unstake, epochs between the 2 contracts are not synchronized (according to developers), which means that any time they are NOT perfectly synchronized to the second, an attacker can pull this off.

Impact

Sandwich of epoch rewards distribution.

Tools Used

Manual review

Recommendations

Minimum amount of time needed to be staked in order to be eligible for rewards is one I can think of.

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

amarfares Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
amarfares Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
amarfares Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

If epoch end times of FjordStaking and FjordPoints are desynchronized, users will be able to exploit the desynchronization to stake>claim>unstake instantly, getting points they shouldn't

Impact: High - Users are getting an unreasonable amount of points through exploiting a vulnerability Likelihood: Low - Most of the times, when using the script, all deployment tx will get processed in the same block. But, there is a small chance for them to be processed in different blocks.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.