Unchecked Transfer in FjordStaking:: unstakeAll
Summary
The function unstakeAll in the FjordStaking contract contains a critical vulnerability due to an unchecked transfer of tokens. The function attempts to transfer the total staked amount back to the user without verifying the success of the transfer function call. This oversight can potentially lead to unexpected behavior and possible loss of funds if the transfer fails.
Vulnerability Details
-
Affected Contract:
FjordStaking -
File:
src/FjordStaking.sol -
Function:
unstakeAll -
Code Snippet:
fjordToken.transfer(msg.sender, totalStakedAmount);
Impact
If the transfer fails and the return value is not checked, the contract will assume that the transfer was successful even though no tokens were actually transferred. This could cause users to lose their staked tokens without being able to reclaim them, leading to a significant financial loss.
Tools Used
Manual code review
Recommendations
To remediate this issue, the return value of the transfer function should be checked to ensure the transfer was successful. If the transfer fails, the function should revert to prevent any loss of funds.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.