Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

FjordPoints fails to account for a users stake duration in points allocation

Ward

Summary

The FjordPoints contract does not take into account how long a user has been in the staking contract when calculating points with distributePoints. Therefore, we can stake for the entire duration within the EPOCH_DURATION or before the end of the epoch, and nothing will change in terms of point earning.

Vulnerability Details

This structure goes against the basic principles of staking and does not incentivize rewarding those who have been staking for a long time in the staking contract. Instead of staking basically, it just requires us to call the stake before the end of the epoch.

The following Proof of Concept demonstrates that a user staking on the last day of the epoch has pendingPoints that should not normally be present:

// Paste it into points.t.sol to run the test
function testStakeTime() public {
address user = address(0x2);
uint256 amount = 1000 ether;
vm.startPrank(staking);
skip(6 days); // I didn't stake anything for the first 6 days
fjordPoints.onStaked(user, amount);
fjordPoints.users(user);
skip(1 days);
fjordPoints.onStaked(user, 1 wei); // This is just to trigger the updatePendingPoints modifier
(,uint256 pendingPoints,) = fjordPoints.users(user);
assertEq(pendingPoints, 100000000000000000000);
}

Impact

Users do not actually need to stay in the staking contract to access their points.

Tools Used

Foundry

Recommendations

Design the FjordPoints contract to incentivize users to stake throughout the epoch.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.