Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Inaccurate `rewardPerToken` Calculation for Each Epoch

n3smaro

Summary

The _checkEpochRollover function updates the rewardPerToken for each epoch by adding pendingRewardsPerToken to the reward per token value of the previous epoch. However, this approach results in the same rewardPerToken value being assigned to all the epochs in the range from lastEpochRewarded + 1 to currentEpoch. This could lead to inaccuracies in reward distribution, as the pendingRewardsPerToken should reflect changes in rewards per token specific to each epoch.

Vulnerability Details

In the current implementation, the rewardPerToken for each epoch is calculated as:

if (totalStaked > 0) {

uint256 currentBalance = fjordToken.balanceOf(address(this));

// no distribute the rewards to the users coming in the current epoch

uint256 pendingRewards = (currentBalance + totalVestedStaked + newVestedStaked)

- totalStaked - newStaked - totalRewards;

uint256 pendingRewardsPerToken = (pendingRewards * PRECISION_18) / totalStaked;

totalRewards += pendingRewards;

for (uint16 i = lastEpochRewarded + 1; i < currentEpoch; i++) {

rewardPerToken[i] = rewardPerToken[lastEpochRewarded] + pendingRewardsPerToken;

emit RewardPerTokenChanged(i, rewardPerToken[i]);

}

} else {

for (uint16 i = lastEpochRewarded + 1; i < currentEpoch; i++) {

rewardPerToken[i] = rewardPerToken[lastEpochRewarded];

emit RewardPerTokenChanged(i, rewardPerToken[i]);

}

This calculation uses a constant pendingRewardsPerToken for each epoch, which means every epoch in the range from lastEpochRewarded + 1 to currentEpoch will have the same reward per token value. This is incorrect because the pendingRewardsPerToken should be updated based on the actual rewards distributed during each epoch. Instead of accumulating rewards correctly per epoch, this implementation uses a flat value that might not accurately represent the distribution of rewards over time.

Impact

This issue will result in inaccurate reward calculations for epochs where the rewards should vary. As a result, users may receive either too little or too much reward, depending on the actual distribution of rewards during each epoch. This could lead to discrepancies in the reward distribution, potentially causing disputes among users and undermining the integrity of the reward system.

Tools Used

Manual Code Review

Recommendations

To address this issue, calculate rewardsPerToken separately for each epoch based on the rewards distributed during that specific epoch.

Updates

Lead Judging Commences

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.