Fjord Token Staking

Summary

• Firstly _unstakeVested() doesn't return any amount to the staker if it's a partial withdrawal as the amounts are vested. But it doesn't consider the vested amount that has already been received by the staking contract either. The vested amount received by the staking contract should be the amount that the staker should be allowed to unstake.

• If the staker fully unstakes vested NFT after a while he only gets the NFT and the amount that the staking contract receives is kept in the staking contract.

• If the vested staker do partial withdrawals, his staking rewards only decreases and nothing else.

Vulnerability Details

The _unstakeVested() seems to be unfinished as there are a lot of unhandled cases.

Impact

This will lead to vested stakers being discouraged to stake as the rewards might be less than the Sablier token payment steam received and kept by the staking contract.

Tools Used

Vs Code

Recommendations

• Always calculate the new payment from Sablier after the user had staked NFT. Then let only that amount to be able to withdraw. For eg: If user stakes NFT worth of $100 and after staking the staking contract receives $10 from Sablier then the user should have the option to unstake those $10.

• On full unstake calculate total sablier stream amount received by the staking contract. As per above eg: if the total amount received is $50 and now the staker will full unstaking then $50 should be send to the user along with the Sablier NFT.