Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

First staker gains unaccountable `FjordPoints` when `totalStaked == 0`

bladesec

Summary

We have an edge case where no stakers exist in the FjordPoints contract, calling distributePoints() results in points accumulating and being awarded to the first staker. I believe it should rather be discarded.

Vulnerability Details

Given how rewards are structured in the FjordStaking contract, which aims to allocate rewards on an epoch basis to previous epoch stakers, the current implementation of FjordPoints deviates from this approach.

Presently, if no stakers are present, Points accumulate within the FjordPoints contract and are granted to the first subsequent staker, rather than being forfeited for epochs without stakers. A fairer solution would be to forfeit Points for any epochs lacking stakers.

This accumulation of Points is facilitated by the following code:

function distributePoints() public {

if (block.timestamp < lastDistribution + EPOCH_DURATION) {

return;

}

> if (totalStaked == 0) {

return;

}

uint256 weeksPending = (block.timestamp - lastDistribution) / EPOCH_DURATION;

pointsPerToken =

pointsPerToken.add(weeksPending * (pointsPerEpoch.mul(PRECISION_18).div(totalStaked)));

totalPoints = totalPoints.add(pointsPerEpoch * weeksPending);

lastDistribution = lastDistribution + (weeksPending * 1 weeks);

emit PointsDistributed(pointsPerEpoch, pointsPerToken);

}

Although the code correctly exits when totalStaked == 0, it fails to update the lastDistribution variable, resulting in unfair accumulation of Points.

Impact

From a user's perspective, this issue leads to new stakers unfairly receiving accumulated rewards from epochs with no stakers, creating an inequitable distribution and potential discouragement for early participation.

Tools Used

Manual Review

Recommendations

Modify the FjordPoints.distributePoints() function to update the lastDistribution variable when totalStaked == 0, preventing unfair accumulation of Points.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.