Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

`completeClaimReques` fn doesn't update the `lastClaimedEpoch` after claiming rewards

minato7namikazi

Vulnerability Details

function completeClaimRequest()

external

checkEpochRollover

redeemPendingRewards

returns (uint256 rewardAmount)

{

ClaimReceipt memory cr = claimReceipts[msg.sender];

//CHECK

if (cr.requestEpoch < 1) revert ClaimReceiptNotFound();

// to complete claim receipt, user must wait for at least 3 epochs

if (currentEpoch - cr.requestEpoch <= claimCycle) revert CompleteRequestTooEarly();

//EFFECT

rewardAmount = cr.amount;

userData[msg.sender].unclaimedRewards -= rewardAmount;

totalRewards -= rewardAmount;

delete claimReceipts[msg.sender];

//INTERACT

fjordToken.safeTransfer(msg.sender, rewardAmount);

emit RewardClaimed(msg.sender, rewardAmount);

}

in the completeClaimRequest function:

The function doesn't update the userData[msg.sender].lastClaimedEpoch after claiming rewards. This could lead to a situation where a user can claim rewards multiple times for the same epochs if they wait long enough between claims.

Additionally, there's no check to ensure that the claim request epoch is greater than the user's last claimed epoch. This could potentially allow a user to claim rewards for epochs they've already claimed.

To fix this, the function should:

Check if cr.requestEpoch > userData[msg.sender].lastClaimedEpoch
Update userData[msg.sender].lastClaimedEpoch = currentEpoch after successful claim

These changes would ensure that users can only claim rewards once per epoch range and prevent potential reward duplication.

Impact

User stakes tokens and accumulates rewards over several epochs.
User calls claimReward(false) to create a claim receipt for epoch X.
User waits for 3+ epochs (satisfying the cooldown period).
User calls completeClaimRequest(), receiving rewards up to epoch X+3.
User waits for another 3+ epochs without staking or unstaking.
User calls claimReward(false) again, creating a new claim receipt for the current epoch.
After 3 more epochs, user calls completeClaimRequest() again.

In step 7, the user would receive rewards for epochs that were already claimed in step 4, because the function doesn't update lastClaimedEpoch or check against it.

IMPACT: This bug could allow users to claim more rewards than they're entitled to, potentially draining the contract of excess rewards and disrupting the economic balance of the staking system.

To fix this, implement the suggested checks and updates to lastClaimedEpoch.

Tools Used

Manual review

Updates

Lead Judging Commences

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.