Users who stake for just 5 minutes will earn a week worth of point token.
Summary
The logic of the way points are distributed in the FjordPoints, doesn't penalize late stakers, so some who staked 5 minutes to the point being distributed will earn the same amount as someone who staked 5 days to the reward being distributed this is unfair to people who staked early.
Vulnerability Details
The updatePendingPointsthe function doesn't track the time the user staked to update their point reward, so whether they stake 1 minute to the reward being distributed or 7 days to the points being distributed they will earn something as long as they staked the same amount.
Impact
Loss of points to early stakers.
Tools Used
Recommendations
As on the FjordStaking contract, stakers should start earning points from the next epoch.
Appeal created
If epoch end times of FjordStaking and FjordPoints are desynchronized, users will be able to exploit the desynchronization to stake>claim>unstake instantly, getting points they shouldn't
Impact: High - Users are getting an unreasonable amount of points through exploiting a vulnerability Likelihood: Low - Most of the times, when using the script, all deployment tx will get processed in the same block. But, there is a small chance for them to be processed in different blocks.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.