Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

Unfair rewards distribution on vested tokens

pontifex

Summary

Vested FJORD tokens owners are extremely motivated to stake their NFTs compared to other FJORD tokens owners. In fact vested FJORD tokens owners receive rewards on the tokens which they will own in future. This way there is definitely an unfair rewards distribution.

Vulnerability Details

The stakeVested function considers the all rest of vested tokens as a deposit amount independently of the vesting period:

function stakeVested(uint256 _streamID) external checkEpochRollover redeemPendingRewards {
//CHECK
if (!sablier.isStream(_streamID)) revert NotAStream();
if (sablier.isCold(_streamID)) revert NotAWarmStream();
// only allow authorized stream sender to stake cancelable stream
if (!authorizedSablierSenders[sablier.getSender(_streamID)]) {
revert StreamNotSupported();
}
if (address(sablier.getAsset(_streamID)) != address(fjordToken)) revert InvalidAsset();
>> uint128 depositedAmount = sablier.getDepositedAmount(_streamID);
>> uint128 withdrawnAmount = sablier.getWithdrawnAmount(_streamID);
>> uint128 refundedAmount = sablier.getRefundedAmount(_streamID);
if (depositedAmount - (withdrawnAmount + refundedAmount) <= 0) revert InvalidAmount();
>> uint256 _amount = depositedAmount - (withdrawnAmount + refundedAmount);

This way vested tokens stakers can receive rewards for all tokens which they possibly receive in future.

Impact

Unfair rewards distribution, asset losses

Tools used

Manual Review

Recommendations

Consider rewarding vested tokens owners only for amounts which they could withdraw in particular epochs.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.