Timing difference of deployment of FjordPoints and FjordStaking can allows user's to gain points without no lock contraints deposited
Summary
User's can gain large amount of points with a short lock since the points are distributed when a week passes and the lock time enforcement in fjord staking can be ineffective if both are deployed in different timestamps
Vulnerability Details
The points distribution occurs right after an EPOCH_DURATION passes and is not dependent on how much time a user has locked their assets
Attackers can deposits in the block right before the WEEK timestamp occurs and withdraw in the very next block earning the share of points without actually being deposited into the protocol. This is possible if the deploy times of the staking and points contract differ
Impact
Users can gain points without being locked if deployment times differ
Tools Used
Manual Review
Recommendations
Always ensure that the deployment occur at the same timestamp
Appeal created
If epoch end times of FjordStaking and FjordPoints are desynchronized, users will be able to exploit the desynchronization to stake>claim>unstake instantly, getting points they shouldn't
Impact: High - Users are getting an unreasonable amount of points through exploiting a vulnerability Likelihood: Low - Most of the times, when using the script, all deployment tx will get processed in the same block. But, there is a small chance for them to be processed in different blocks.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.