Variable stakers could lose their pending Rewards.
Summary :
pendingrewards is used to calculate the amount of rewards that a user has accumulated but not yet claimed. It represents the rewards that are due to a user based on their staking activity across different epochs. The function takes into account the user's staked amounts, the duration of their stakes, and the reward rates for each relevant epoch to determine the total pending rewards for the user.(see code below).https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordStaking.sol#L702
Vulnerability Details :
The issue is that the computation assumes that (currentBalance + totalVestedStaked + newVestedStaked) will always be greater than (totalStaked - newStaked - totalRewards).
However, there are edge cases that breaks that assumption,
When a negative rebase occurswhich is (totalStaked - newStaked - totalRewards) is greater than (currentBalance + totalVestedStaked + newVestedStaked) [ it happen when no one call the vestedStake and the users stake with an amount > currentBalance].
Impact :
The contract does not explicitly prevent or handle scenarios where the calculated staked amount (totalStaked - newStaked - totalRewards) becomes greater than the actual token balance (currentBalance + totalVestedStaked + newVestedStaked).When these occur, it will cause pendingRewards to revert in _checkEpochRollover().
Tools Used :
Manual code review.
Recommendations:
Add a require statement to validate that totalStaked - newStaked - totalRewards <= currentBalance + totalVestedStaked + newVestedStaked before critical operations
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.