`totalPoints` doesn’t get updated correctly leading to inaccurate data
Summary
The totalPoints variable is designed to track the total number of points distributed as stated in the documentation. However, if a user doesn’t claim their points or burns them after claiming, this variable will not accurately reflect the total points in circulation.
Vulnerability Details
The totalPoints variable in FjordPoints.sol is solely used to update itself whenever an epoch rolls over. When a user doesn’t claim their share of points, the variable will still count these tokens as distributed, even though they remain within the FjordPoints contract.
Additionally, when a user claims the points and then burns them without using them in an auction, the variable will still report these points as if they have been or could be used in auctions.
Impact
Protocols implementing FjordPoints in their contracts may access inaccurate data, leading to potential issues within their systems.
Tools Used
Manual Review
Recommendations
Consider only increasing totalPoints when the tokens are minted in FjordPoints::claimPoints. To fix the issue with burning points without using them, override the burn function to decrease totalPoints by the amount burned. Note that the auction contract also burns the points, but in this case, the points have actually been used and so totalPoints should not be updated.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.