Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Potential loss of rewards if minting fails in claimPoints

mangocola

Summary

Potential loss of rewards if minting fails in claimPoints. To be honest not that likely to happen but submit this in case.

Vulnerability Details

/**
* @notice Allows users to claim their accumulated points.
*/
function claimPoints() external checkDistribution updatePendingPoints(msg.sender) {
UserInfo storage userInfo = users[msg.sender];
uint256 pointsToClaim = userInfo.pendingPoints;
if (pointsToClaim > 0) {
userInfo.pendingPoints = 0;
_mint(msg.sender, pointsToClaim);
emit PointsClaimed(msg.sender, pointsToClaim);
}
}

In claimPoints the amount of points a user can get is stored in the pendingPoints variable. The fucntion mints the pointsToClaim which is the pendingPoints.However it resets the pendingPoints here before minting

userInfo.pendingPoints = 0;
_mint(msg.sender, pointsToClaim);

Although this was probably done to prevent reentrancy attacks, this might lead to a loss of rewards for users.

Impact

Loss of Points:
If _mint fails after userInfo.pendingPoints is set to zero, the user will lose their pending points without receiving the corresponding tokens.
This might lead to a loss of rewards for users.

Tools Used

Source code review

Recommendations

_mint(msg.sender, pointsToClaim);
userInfo.pendingPoints = 0;
emit PointsClaimed(msg.sender, pointsToClaim);

Making the order like this but maybe adding nonReentrant to protect from reentrancy

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.