Submission Details
Severity:
Misinput in `FjordStaking::unstakeAll`
Summary
Wrong input of continue in FjordStaking::unstakeAll instead of break.
Vulnerability Details
function unstakeAll() external checkEpochRollover redeemPendingRewards returns (uint256 totalStakedAmount) {
...;
for (uint16 i = 0; i < activeDeposits.length; i++) {
uint16 epoch = uint16(activeDeposits[i]);
DepositReceipt storage dr = deposits[msg.sender][epoch];
@> if (dr.epoch == 0 || currentEpoch - epoch <= lockCycle) continue;
totalStakedAmount += dr.staked;
...;
FjordStaking::unstakeAll above is allowing user to unstake even though currentEpoch - epoch <= lockCycle will results to user staked for only below or equal with 6 epochs.
This allows for user to stake for 1 epoch then unstake to claim the reward.
Impact
User is able to unstake even before the lock cycle ends which is 6 days. This breaks the invariant where staked tokens should be locked for 6 weeks(6 epochs) and can be unstaked after that.
Tools Used
Manual Review
Recommendations
function unstakeAll() external checkEpochRollover redeemPendingRewards returns (uint256 totalStakedAmount) {
...;
for (uint16 i = 0; i < activeDeposits.length; i++) {
uint16 epoch = uint16(activeDeposits[i]);
DepositReceipt storage dr = deposits[msg.sender][epoch];
- if (dr.epoch == 0 || currentEpoch - epoch <= lockCycle) continue;
+ if (dr.epoch == 0 || currentEpoch - epoch <= lockCycle) break;
totalStakedAmount += dr.staked;
...;
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
66230 USDC / LOC
16,000 USDC
2,500 USDC
1,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.