Manipulation of `rewardPerToken` Calculation via Direct Token Transfers
Summary
The _checkEpochRollover function calculates rewardPerToken based on the contract’s balance of fjordToken, which can be manipulated if users send tokens directly to the contract.
Vulnerability Details
The rewardPerToken calculation is derived from the contract's fjordToken balance, which includes any tokens sent directly to the contract by users. If tokens are sent directly to the contract, they increase currentBalance, which in turn inflates the pendingRewards calculation. This inflation results in incorrect pendingRewardsPerToken values, which are then distributed across all staked tokens. Consequently, the reward distribution becomes skewed, as it does not accurately reflect the actual tokens staked by users. The method of calculating rewards based on the contract's balance without considering the origin of these tokens can lead to unfair reward allocation.
Impact
If users can manipulate the currentBalance by sending tokens directly to the contract, the reward calculations will be incorrect. This could result in either overpaying or underpaying rewards to users, affecting the integrity of the reward distribution mechanism and potentially causing financial losses or disputes among users.
Tools Used
Manual Code Review
Recommendations
To mitigate this issue, ensure that the rewardPerToken calculation is based solely on the tokens staked by users rather than the total balance of tokens held by the contract.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.