Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

A user's Fjord tokens could be locked for an extended duration without their control due to missing deadline in staking functions

M M

Title

A user's Fjord tokens could be locked for an extended duration without their control

Description

The stake() allows anyone to stake FJORD tokens in return for rewards:

function stake(uint256 _amount) external checkEpochRollover redeemPendingRewards {

//CHECK

if (_amount == 0) revert InvalidAmount();

//EFFECT

userData[msg.sender].unredeemedEpoch = currentEpoch;

DepositReceipt storage dr = deposits[msg.sender][currentEpoch];

if (dr.epoch == 0) {

dr.staked = _amount;

dr.epoch = currentEpoch;

_activeDeposits[msg.sender].add(currentEpoch);

} else {

dr.staked += _amount;

}

newStaked += _amount;

//INTERACT

fjordToken.safeTransferFrom(msg.sender, address(this), _amount);

points.onStaked(msg.sender, _amount);

emit Staked(msg.sender, currentEpoch, _amount);

}

Prior to the execution of this function, the modifier checkEpochRollover is executed which calls _checkEpochRollover():

function _checkEpochRollover() internal {

uint16 latestEpoch = getEpoch(block.timestamp);

if (latestEpoch > currentEpoch) {

//Time to rollover

currentEpoch = latestEpoch;

...

}

Thus, it first checks for the epoch, and updates it if exceeds the current epoch. Also, considering the unstake functions which call _redeem() at their hearts,
users have to keep and lock their assets for at least one epoch.

An issue arises because the user cannot specify the latest desired unlock time. This opens the path for the tokens to be locked for longer than expected,
which may have significant impact for users if they need the funds. Consider the following case, where x is week number:

It is day 6 of an epoch (one day from nextEpoch)
Assumed unlock time is 7 + lockDuration
The TX does not execute in next 1 day for any reason (gas price went up, validator does not include TX, etc)
It is now day 7, another epoch starts. Now nextEpoch is 7 + x
Executed unlock time is 7 + x + lockDuration

This means user's funds are locked for an additional 7 days more than expected.

Essentially the stake function lacks a deadline parameter similar to swapping functions, and the impact is temporary freeze of funds.
This issue is considered medium certainly as it is related to the temporary freeze of funds beyond the users wills.

Impact

Temporary loss of Fjord tokens due to being locked for an extended duration beyond the users intention and without their control.

Tools Used

Manual review

Reccomendation

Consider adding a deadline parameter for the staking functions.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Appeal created

matin Auditor

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.