Fjord Token Staking

Summary

The stake and stakeVested functions update the userData[msg.sender].unredeemedEpoch but fail to immediately update userData[msg.sender].totalStaked. Instead, totalStaked is only updated by the _redeem function under specific conditions. This deferral can lead to inconsistencies in the totalStaked value, as it should reflect all staked amounts immediately to ensure accurate reward calculations.

Vulnerability Details

Both the stake and stakeVested functions handle staking operations but do not update the totalStaked field in userData immediately. They update unredeemedEpoch to indicate the latest epoch of unclaimed rewards, but totalStaked is only updated by the _redeem function. The _redeem function adjusts totalStaked based on pending rewards but only if certain conditions are met (e.g., ud.unredeemedEpoch > 0 && ud.unredeemedEpoch < currentEpoch). This condition might not always be satisfied after a staking action, leading to discrepancies in totalStaked.

Impact

The lack of immediate updates to totalStaked can result in an inaccurate record of the total staked amount. This discrepancy can lead to incorrect reward calculations, as the totalStaked value may not reflect recent staking activities until _redeem is called. This can affect reward distribution, potentially leading to users receiving either too few or too many rewards.

Tools Used

Manual Code Review

Recommendations

Ensure that userData[msg.sender].totalStaked is always accurate and reflects the latest staking amounts by updating it directly within both stake and stakeVested functions. Additionally, remove the update of totalStaked from the _redeem function to prevent redundant or conflicting updates.