Submission Details
Severity:
First stakers can receive more points for epochs when `totalStaked` was 0
Summary
The first stakers can receive an unexpectedly big amount of FjordPoints for all epochs when totalStaked was zero.
Vulnerability Details
The distributePoints function distributes points for weeksPending period which reflects how many epochs were passed from the last distribution even totalStaked was zero. This way the first stakers will receive points for all previous epochs.
function distributePoints() public {
if (block.timestamp < lastDistribution + EPOCH_DURATION) {
return;
}
if (totalStaked == 0) {
>> return;
}
uint256 weeksPending = (block.timestamp - lastDistribution) / EPOCH_DURATION;
pointsPerToken =
pointsPerToken.add(weeksPending * (pointsPerEpoch.mul(PRECISION_18).div(totalStaked)));
totalPoints = totalPoints.add(pointsPerEpoch * weeksPending);
>> lastDistribution = lastDistribution + (weeksPending * 1 weeks);
emit PointsDistributed(pointsPerEpoch, pointsPerToken);
}
Impact
Unexpected FjordPoints distribution
Tools used
Manual Review
Recommendations
Consider updating lastDistribution even if totalStaked == 0 but without totalPoints increasing.
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
66230 USDC / LOC
16,000 USDC
2,500 USDC
1,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.