Incorrect event implementation in `FjordPoints::distributePoints()` reveals misleading information
Summary
A flaw in the FjordPoints::distributePoints function leads to the PointsDistributed event emitting incorrect data. Instead of reporting the total number of points distributed during the function call, the event mistakenly emits the number of points distributed per epoch. If the function is invoked after more than one epoch, this will result in the emission of inaccurate event data, misleading users.
Vulnerability Details
The distributePoints function is designed to distribute points to users with tokens staked in the contract, and is supposed to emit a PointsDistributed event to log the operation. However, instead of emitting the total amount of points distributed during the function call, the event always reflects the predefined pointsPerEpoch.
Impact
If the function is executed after two or more epochs have passed, the event will log only the points for one epoch, rather than the sum of points distributed across all epochs. This discrepancy leads to misleading information in the logs, making it difficult to track the actual distribution of points over time.
Tools Used
Manual code review.
Recommendations
Correct the event emission logic: update the distributePoints function to emit the PointsDistributed event with the total points distributed during the entire function call, rather than per epoch.
Lead Judging Commences
distributePoints calls `emit PointsDistributed` with pointsPerEpoch, instead of totalPoints
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.