Fjord Token Staking

Summary

The contract under analysis is the FjordPoints contract, which is designed to distribute points to users based on their staked tokens in a staking contract. The points are distributed at a rate determined by the pointsPerEpoch variable, which is set and controlled by the contract owner.

Vulnerability Details

The setPointsPerEpoch function in the contract allows the owner to set the number of points distributed per epoch. The function is defined as follows:

function setPointsPerEpoch(uint256 _points) external onlyOwner checkDistribution { if (_points == 0) { revert(); } pointsPerEpoch = _points; }

While this function gives flexibility to the contract owner to adjust the rewards distributed to users, it also introduces a significant risk of misuse or abuse.

• The owner could set a very low value for pointsPerEpoch, resulting in minimal points being distributed to users who have staked their tokens. This could lead to users receiving far fewer rewards than expected, effectively diminishing the value of their participation.

• After participants have staked their tokens based on an initial pointsPerEpoch value, the owner could reduce this value, unfairly lowering the expected returns for participants. This could be particularly harmful if done after users have committed significant amounts of tokens to the contract.

Impact

The ability for the contract owner to arbitrarily set pointsPerEpoch without any oversight or restrictions presents a high risk to the fairness and integrity of the staking and rewards distribution process. Participants in the staking program could be unfairly disadvantaged, and the overall trust in the system could be compromised.

Tools Used

Manual analysis

Recommendations

Implement a fixed pointsPerEpoch value at the start of the contract or auction, making it immutable or only adjustable within a predetermined range to prevent drastic changes.

Also, introduce a timelock on changes to pointsPerEpoch, ensuring that any adjustments take effect only after a certain period. This gives participants time to react or withdraw their tokens if they disagree with the changes.