Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Users will receive same amount of rewards even though they staked in different time

ke1cam

Vulnerability details

Users staking their Fjord Foundry token are eligibe to Fjord Points rewards. Fjord Points can be distributed after 7 days by anyone.

Points are distributed at the end of an epoch. One user can stake for a few days longer and will still receive the same amount of tokens as user which staked at the end of the epoch.

Proof of Concept

Set bool isMock = false; in FjordStakingBase.t.sol contract.

Paste this test inside stake.t.sol contract and run forge test --match-test "testStakingSameRewards" -vvv.

function testStakingSameRewards() public {
deal(address(token), bob, 1 ether);
FjordPoints(points).setStakingContract(address(fjordStaking));
vm.prank(alice);
fjordStaking.stake(1 ether);
vm.startPrank(bob);
vm.warp(block.timestamp + 6 days);
token.approve(address(fjordStaking), 1 ether);
fjordStaking.stake(1 ether);
vm.stopPrank();
vm.warp(block.timestamp + 1 weeks);
vm.prank(alice);
FjordPoints(points).claimPoints();
vm.prank(bob);
FjordPoints(points).claimPoints();
assertEq(
FjordPoints(points).balanceOf(address(bob)),
FjordPoints(points).balanceOf(address(alice))
);
}

Impact

Users will receive same amount of rewards even though they staked in different time.

Recommended Mitigation Steps

Solution for this problem might be creating a reward system based on rewards per second. It is more fair to users and prevents rewards sniping.

Updates

Lead Judging Commences

inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.