Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Inefficiency and inaccuracy of points distribution

hendobox

Summary

The distributePoints function is designed to allocate points to stakeholders based on the elapsed time since the last distribution. A critical part of this function is the calculation of weeksPending, which determines how many epochs have passed. However, the function does not explicitly check if weeksPending is greater than zero, potentially leading to inefficiencies in the contract.

Vulnerability Details

The vulnerability lies in the fact that weeksPending can be 0, which means that no full epoch has passed since the last distribution. If weeksPending is zero, the function still updates the pointsPerToken, totalPoints, and lastDistribution storages, and emits a PointsDistributed event, even though no points are actually distributed. This can lead to unnecessary gas consumption and misleading logs.

FjordPoints.sol#L241-L247

For example, if block.timestamp is slightly greater than lastDistribution, the calculated weeksPending may be 0. In this case, the function would proceed to update lastDistribution and emit an event without actually changing pointsPerToken or totalPoints.

Impact

Gas inefficiency
Misleading events

Tools Used

Manual review

Recommendations

Implement a condition to ensure that weeksPending is greater than 0 before proceeding with state updates and event emissions. This prevents unnecessary operations when no full epoch has passed.

function distributePoints() public {

if (block.timestamp < lastDistribution + EPOCH_DURATION) {

return;

}

if (totalStaked == 0) {

return;

}

uint256 weeksPending = (block.timestamp - lastDistribution) / EPOCH_DURATION;

+ if (weeksPending != 0) {

pointsPerToken =

pointsPerToken.add(weeksPending * (pointsPerEpoch.mul(PRECISION_18).div(totalStaked)));

totalPoints = totalPoints.add(pointsPerEpoch * weeksPending);

lastDistribution = lastDistribution + (weeksPending * 1 weeks);

emit PointsDistributed(pointsPerEpoch, pointsPerToken);

+ }

}

Updates

Lead Judging Commences

inallhonesty Lead Judge

about 1 year ago

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.