Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Anyone can add reward without using addReward() function

demorextess

Summary

In the Fjord Staking System, rewards are added to the contract by the reward admin using the addReward() function. However, the new rewards are processed directly by checking the contract's token balance, which renders the reward admin role unnecessary.

Vulnerability Details

Reward admin is responsible for adding rewards using following addReward() function:

function addReward(uint256 _amount) external onlyRewardAdmin {

//CHECK

if (_amount == 0) revert InvalidAmount();

//EFFECT

uint16 previousEpoch = currentEpoch;

//INTERACT

fjordToken.safeTransferFrom(msg.sender, address(this), _amount);

_checkEpochRollover();

emit RewardAdded(previousEpoch, msg.sender, _amount);

}

This function transfer the corresponding token to staking contract and then calls _checkEpochRollover() function in order to update the reward rate.

While reward rate update, new rewards is added from the token balance of staking contract. In conclusion, anyone can send Fjord token to staking contract in order to increase the reward rate

if (totalStaked > 0) {

&> uint256 currentBalance = fjordToken.balanceOf(address(this));

// no distribute the rewards to the users coming in the current epoch

&> uint256 pendingRewards = (currentBalance + totalVestedStaked + newVestedStaked)

- totalStaked - newStaked - totalRewards;

uint256 pendingRewardsPerToken = (pendingRewards * PRECISION_18) / totalStaked;

totalRewards += pendingRewards;

for (uint16 i = lastEpochRewarded + 1; i < currentEpoch; i++) {

rewardPerToken[i] = rewardPerToken[lastEpochRewarded] + pendingRewardsPerToken;

emit RewardPerTokenChanged(i, rewardPerToken[i]);

}

Impact

Low - Although this issue does not significantly impact the contract's functionality, it contradicts the documentation, which states that only the reward admin should be able to add rewards to the staking contract. The current implementation does not enforce this restriction.

Tools Used

Manual Review

Recommendations

Instead of calculating the reward amount based on the contract's token balance, the process should adhere to the addReward function for adding rewards to the previous epoch. This change would ensure that only the reward admin can add rewards, as intended.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.