Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Valid

Wrong parameter in event PointsDistributed()

0xziin

Summary

Wrong parameter in event PointsDistributed() could cause problems with offchain applications/Dapps, and mislead the end user.

Vulnerability Details

In FjordPoints.sol the event is defined as follow :

https://github.com/Cyfrin/2024-08-fjord/blob/main/src/FjordPoints.sol#L101-L106

/**

* @notice Emitted when points are distributed to stakers.

* @param points The total number of points distributed.

* @param pointsPerToken The amount of points distributed per token staked.

event PointsDistributed(uint256 points, uint256 pointsPerToken);

But it is used with the wrong parameter in distributePoints()::FjordPoints.sol :

https://github.com/Cyfrin/2024-08-fjord/blob/main/src/FjordPoints.sol#L229-L248

/**

* @notice Distributes points based on the locked amounts in the staking contract.

function distributePoints() public {

if (block.timestamp < lastDistribution + EPOCH_DURATION) {

return;

}

if (totalStaked == 0) {

return;

}

uint256 weeksPending = (block.timestamp - lastDistribution) / EPOCH_DURATION;

pointsPerToken =

pointsPerToken.add(weeksPending * (pointsPerEpoch.mul(PRECISION_18).div(totalStaked)));

totalPoints = totalPoints.add(pointsPerEpoch * weeksPending);

lastDistribution = lastDistribution + (weeksPending * 1 weeks);

emit PointsDistributed(pointsPerEpoch, pointsPerToken);

}

It should be totalPoints and not pointsPerEpoch :

event PointsDistributed(totalPoints, pointsPedToken);

Impact

Offchain application and Dapps relie on informations given by events, this could lead to several problems in applications, misleading the end user.

Tools Used

Github, VisualCode.

Recommendations

Replace pointsPerEpoch with totalPoints.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

distributePoints calls `emit PointsDistributed` with pointsPerEpoch, instead of totalPoints

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.