Fjord Token Staking

Summary

FjordPoints#checkDistribution() modifier never reverts

Vulnerability Detail

1. FjordPoints#checkDistribution() modifier is using on the following functions for distribution status check.

   • FjordPoints#setPointsPerEpoch()

   • FjordPoints#onStaked()

   • FjordPoints#onUnstaked()

   • FjordPoints#claimPoints()

2. FjordPoints#checkDistribution() modifier

   • calls FjordPoints#distributePoints().

   • has not any additional revert logic.

1. FjordPoints#distributePoints()

   • does not revert even EPOCH_DURATION is not expired or totalStaked is zero.

   • has not any additional revert logic.

Impact

Protocol Point's distribution logic can be executed anytime without any time block such as EPOCH_DURATION and it will happen protocol's violation.

Proof of Concept

1. Bob calls FjordPoints#claimPoints multiple time without any waiting to claim his points.

2. FjordPoints#checkDistribution modifier does not revert.

3. So Bob can claim his points any time without any waiting.

Code Snippet

https://github.com/Cyfrin/2024-08-fjord/blob/main/src/FjordPoints.sol#L232-L248

Tool used

Manual Review

Recommendation

Please update FjordPoints#distributePoints() as following.