Vulnerability Details

in the getActiveDeposits function in the FjordStaking contract:

1. The function returns all epochs where a user has deposits, including those that may no longer be active (i.e., fully unstaked or past the lock period).

2. There's no mechanism to remove epochs from _activeDeposits when a deposit becomes inactive.

3. This could lead to misleading results if users or other contracts rely on this function to determine truly "active" deposits.

So

1. The _activeDeposits set is only updated when deposits are added or fully removed, not when they become unstakable.

2. The unstake function doesn't remove epochs from _activeDeposits if there's still a vested stake, even if the regular stake is fully withdrawn.

3. The unstakeAll function correctly updates _activeDeposits, but individual unstake calls might leave stale epochs.

Impact:

• Users or external contracts relying on getActiveDeposits might misinterpret the state of deposits.

• This could lead to incorrect calculations or decisions based on presumed "active" deposits.

PoC flow:

1. User stakes in epoch 1.

2. 6 epochs pass.

3. User unstakes all non-vested tokens.

4. getActiveDeposits still shows epoch 1 as active, even though it's fully unstakable.

Tools Used

Manual review

Recommendations

To fix this, the contract should update _activeDeposits when deposits become inactive, either through full unstaking or when the lock period ends.