Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

front-running attacks in its onStaked and onUnstaked functions

kwakudr

Summary

front-running attacks in its onStaked and onUnstaked functions. Both functions use the checkDistribution modifier, which calls distributePoints(). The distributePoints() function is called before updating the user's stake.

Point distribution depends on the current totalStaked amount.
Transactions are visible in the mempool before they are processed

Vulnerability Details.

function distributePoints() public {

if (block.timestamp < lastDistribution + EPOCH_DURATION) {

return;

}

if (totalStaked == 0) {

return;

}

uint256 weeksPending = (block.timestamp - lastDistribution) / EPOCH_DURATION;

pointsPerToken =

pointsPerToken.add(weeksPending * (pointsPerEpoch.mul(PRECISION_18).div(totalStaked)));

totalPoints = totalPoints.add(pointsPerEpoch * weeksPending);

lastDistribution = lastDistribution + (weeksPending * 1 weeks);

emit PointsDistributed(pointsPerEpoch, pointsPerToken);

}

Alice submits a transaction to stake a large amount of tokens.

Bob, a malicious actor, sees Alice's pending transaction in the mempool.
Bob quickly submits his own staking transaction with a higher gas price.
Bob's transaction gets processed first, increasing the totalStaked amount.
distributePoints() is called, calculating pointsPerToken based on the new totalStaked amount.
Alice's transaction is processed, but she receives fewer points per token than she would have if her transaction was processed first.

Impact

Users could receive more points than they should when unstaking.
This creates an unfair advantage for users who can monitor the mempool and quickly submit transactions.
Users could receive fewer points than expected when staking.

Tools Used

Manual Review

Recommendations

Process stakes/unstakes in batches at fixed intervals.OR use commit-reveal scheme

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.