Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

UnstakeAll() doesnt unstake from the current epoch

anonymousjoe

Summary

The unstakeAll() function doesnt unstake from the current epoch eventhough it is unstakable.

Vulnerability Details

The unstakeAll() function in FjordStaking says that it unstakes from all epochs. This is untrue, since not only the stakes < lockCycle, but even the stakes done in the current epoch are not unstaked.(https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordStaking.sol#L566-L607)

It is understandable that stakes < lockCycle cant be unstaked, but the stakes done in the current epoch are unstakable.

Impact

User may assume that all the stakes are unstaked, but this is not the case.

Tools Used

Manual Review

Recommendations

Update the code as follows:

DepositReceipt storage dr = deposits[msg.sender][epoch];
// added portion line 3-14
if(dr.epoch != 0 && epoch == currentEpoch){
newStaked -= dr.staked;
totalStakedAmount += dr.staked;
if (dr.vestedStaked == 0) {
delete deposits[msg.sender][epoch];
_activeDeposits[msg.sender].remove(epoch);
} else {
dr.staked = 0;
}
continue;
}
if (dr.epoch == 0 || currentEpoch - epoch <= lockCycle) continue;
totalStakedAmount += dr.staked;
Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Appeal created

anonymousjoe Submitter
10 months ago
inallhonesty Lead Judge
10 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.