Incomplete Handling of Active Deposits in `stake` and `stakeVested` Functions
Summary
The stake and stakeVested functions in the FjordStaking contract fail to properly manage the _activeDeposits mapping for stakes which are done in different epoch, it just sum up the dr.stakedAmount. This oversight can lead to incomplete or inaccurate tracking of active deposits, especially affecting the unstakeAll function.
Vulnerability Details
Incomplete Active Deposits Tracking: Both
stakeandstakeVestedfunctions check if theDepositReceiptfor the current epoch has been initialized (dr.epoch == 0). If it hasn't, they initialize it and add the epoch to_activeDeposits. However, if a user stakes additional tokens in next/different epoch, the functions do not update_activeDepositsagain, even though the deposit is still active.Impact on
unstakeAll: Since_activeDepositsis not updated when multiple stakes occur in different epoch, theunstakeAllfunction might not accurately track and handle all active deposits. This could result in incomplete or incorrect removal of deposits, leading to issues in properly managing or unstaking the deposited tokens.
Impact
Inaccurate Tracking: Active deposits may not be accurately tracked if users make multiple stakes within the different epoch, potentially leading to incorrect or incomplete handling of deposits during unstaking.
Tools Used
manual code review
Recommendations
Update Active Deposits for Repeated Stakes: Ensure that the _activeDeposits mapping is updated each time a user stakes tokens in next epoch . This can be done by always adding the current epoch to _activeDeposits regardless of whether it has been initialized previously.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.