Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Funds can get stuck in the FjordStaking.sol contract.

0x6a70

Summary

Funds can get stuck FjordStaking.sol contract when user is claiming rewards early.

Vulnerability Details

When a user has staked for some time , but not enough to claim the full rewards and decides to claim his rewards with a bool flag _isClaimEarly = true a penalty will be incured:

rewardAmount = ud.unclaimedRewards;
penaltyAmount = rewardAmount / 2;
rewardAmount -= penaltyAmount;
if (rewardAmount == 0) return (0, 0);
totalRewards -= (rewardAmount + penaltyAmount);
userData[msg.sender].unclaimedRewards -= (rewardAmount + penaltyAmount);

That penalty is substracted from totalRewards leaving it unaccounted for. Meaning noone else will be able to claim it , from the stakers in the contract.

At no other point totalRewards variable is updated to accound for the penaltyAmount.

Impact

High as funnds will be stuck in the contract and cannot be reclaimed.

Tools Used

Manual review

Recommendations

Take in to consideration the penaltyAmount when calculating totalRewards.

If it is not substracted from totalRewards it can be claimed byother stakers.

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.