Fjord Token Staking

Summary

While the unstakeAll function efficiently handles the unstaking of assets, it does not take into consideration the potential penalties for early reward claims. This omission presents a significant issue in the context of the platform's reward distribution mechanism.

If a user attempts to claim their rewards before a specified epoch or time, they incur a penalty. This penalty often involves forfeiting a portion of the rewards, which serves as a deterrent against early withdrawal and encourages long-term staking.

Vulnerability Details
The critical issue with the unstakeAll function is that it allows users to withdraw all their staked assets without triggering the early reward penalty. Specifically:

Simultaneous Unstaking and Reward Claim: When a user calls the unstakeAll function, they effectively remove all their stakes, which could allow them to claim all accrued rewards at the same time. This is particularly problematic if the user unstakes during a period when an early withdrawal penalty should apply.

Bypassing the Penalty Mechanism: The current implementation does not apply any checks or calculations to enforce the early withdrawal penalty during the unstakeAll process. As a result, users can bypass the intended reward penalty system, potentially leading to unfair reward distribution and undermining the incentive structure.

Impact

In a worst-case scenario, this flaw could be exploited by users who understand the contract's internal workings. They might strategically unstake at specific times to maximize rewards while avoiding penalties, which could lead to an imbalance in the reward distribution.

Tools Used

Manual analysis

Recommendations

Ensure that unstaking operations automatically consider any pending rewards and apply the appropriate penalties. This can be achieved by linking the unstake logic with the reward claim logic, so users cannot unstake without first resolving any outstanding rewards.