Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

User can stake 1 Wei, so his `epoch` is set to 1 and then stake again large amount 1 second, before the end of the `lockCycle`, which will accrue him rewards for whole epoch

EgisSecurity

Summary

A user can game the staking system and receive a large reward for staking a large sum only for 1 second, which will inflate honest stakers reward.

Vulnerability Details

In FjordStaking user can call stakefunction providing only 1 wei of FJOR tokens. The following will set dr.epoch to the currentEpoch, which is used later in unstakefunction to determine if user has waited entire lockCycle(currently set to 6 epochs, or 6 weeks):

function unstake(uint16 _epoch, uint256 _amount)
external
checkEpochRollover
redeemPendingRewards
returns (uint256 total)
{
...
// _epoch is same as current epoch then user can unstake immediately
if (currentEpoch != _epoch) {
// _epoch less than current epoch then user can unstake after at complete lockCycle
if (currentEpoch - _epoch <= lockCycle) revert UnstakeEarly();
}

This is the design, which locks user's funds, so he can honestly accrue rewards and points on each epoch(week). The problem is that an exploiter can game the design and wait for the cycle to pass after he has staked only 1 wei and "stake" a large amount of FJORD tokens a few seconds, before last epoch update for his cycle. After those seconds, when the epoch is updated, he will be to unstake his funds, together with accured reward and points for whole epoch (week).

Impact

  • Infation of rewards for honest stakers

  • Break core staking functionality

Tools Used

Manual Review

Recommendations

  • For each new stake of a user, track a different lockCycle, so he cannot game current design

Updates

Lead Judging Commences

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.