Fjord Token Staking

Summary

the newStaked and newVestedStaked variables, which track the staked tokens in the current epoch, are not consistently handled. Specifically, these variables are decremented during the unstaking process within the same epoch without ensuring they only affect the current epoch. This inconsistency will lead to inaccurate calculations of the staked amounts and reward distribution.

Vulnerability Details

The newStaked and newVestedStaked variables are intended to track the total amount of tokens staked in the current epoch. However, when users unstake tokens within the same epoch using the unstake or unstakeVested functions, these variables are decremented directly. This approach assumes that all staking and unstaking interactions within the epoch are isolated and that no other user actions could affect these values.

In practice, this assumption may not hold true, particularly if multiple users interact with the contract within the same epoch. Such interactions could lead to the variables being incorrectly adjusted, as they do not differentiate between the initial staking amount and any subsequent unstaking actions.

This decrement operation on newStaked or newVestedStaked during an unstake operation within the same epoch could lead to inconsistencies in the tracking of staked amounts.

Impact

1: The miscalculation of staked amounts within an epoch can result in incorrect reward calculations for users. Some users might receive more rewards than they are entitled to, while others might receive less.

2: The overall tracking of staked tokens within the contract could be incorrect, potentially leading to issues with the integrity of the staking mechanism, especially if these variables do not accurately reflect the actual staked amounts.

Tools Used

manaul review

Recommendations

1: Implement additional logic to ensure that newStaked and newVestedStaked are only updated when necessary.

2: Consider using epoch-specific variables that separately track staking and unstaking actions.