`FjordPoints` incorrectly accumulates `Points` for the first staker when `totalStaked == 0`.
Summary
In an edge case where there are no stakers in the FjordPoints contract, after calling distributePoints(), Points are accumulated and will be awarded to the first staker instead of being discarded.
Vulnerability Details
Considering how rewards are distributed in the FjordStaking contract, where rewards are intended to be distributed on an epoch basis to the stakers of the previous epoch, the current implementation of FjordPoints does not follow this principle.
In the current implementation, if there are no stakers, Points accumulate in the FjordPoints contract and are awarded to the first staker who joins later, rather than being forfeited for the epochs with no stakers. The most equitable solution would be to forfeit Points for all epochs during which there were no stakers.
The accumulation of Points occurs due to this code:
While the code correctly returns if totalStaked == 0, it does not update the lastDistribution variable, leading to unfair Points accumulation.
Impact
Unfair
Pointsdistribution.
Code Snippet
https://github.com/Cyfrin/2024-08-fjord/blob/main/src/FjordPoints.sol#L237-L239
Tools Used
Manual review.
Recommendations
Update the lastDistribution variable in the FjordPoints.distributePoints() function when totalStaked == 0 to prevent unfair accumulation of Points.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.