Fjord Token Staking

Summary:

The contract allows new users to claim rewards from past distributions even if they did not participate in the staking period during which those rewards were generated. This is due to the pointsPerToken not being reset or adjusted when totalStaked is zero.

Vulnerability Details:

Location:

FjordPoints.sol contract,
distributePoints function,
updatePendingPoints modifier

Description:

The distributePoints function is responsible for updating pointsPerToken based on the total staked amount and elapsed time. However, if totalStaked is zero, the function exits early without updating pointsPerToken, preserving its last value.
The updatePendingPoints modifier calculates owed points for users based on the current pointsPerToken. When a new user stakes after a period of zero total staked, they can claim rewards based on the preserved pointsPerToken value.

Example Scenario:

Assume totalStaked becomes zero, and no points are distributed during this period.
When staking resumes, new users can stake and claim rewards using the last pointsPerToken, effectively receiving rewards from past distributions they did not contribute to.

Impact:

• New users can unfairly claim rewards from past distributions, leading to an imbalance in reward distribution.

• This dilutes the rewards for genuine long-term stakers who participated during the actual reward-generating periods.

• Potential for economic exploitation where users can strategically stake after periods of inactivity to maximize reward claims without contributing to the staking pool during reward-generating epochs.

Tools Used:

Manual review

Recommendations:

• Consider resetting or adjusting pointsPerToken when totalStaked is zero.

• Implement a mechanism to track user entry and adjust their initial lastPointsPerToken.