Summary

Users can stake Sablier streams as vested FJORD tokens. In that case, the stream NFT gets transferred to the staking contract.

There are various types of streams in Sablier, one of them is Timelock which releases all of the assets to user after a certain period of time.

The issue here is, malicious user can strategically set up Timelock streams in a way that will let him stake the same tokens repeatedly and gain staking points.

Vulnerability Details

https://github.com/Cyfrin/2024-08-fjord/blob/main/src/FjordStaking.sol#L397

Timelock Streams can be set in a way that, just after staking, assets are released. Using the same tokens another stream can be opened and repeating the same process, staking points can be doubled. And by repeating this infinite times infinite points can be gained theoretically.

There's a check for validating only allowed senders to access the function but thats not enough. Allowed users can still profit by exploiting this issue.

Impact

Maliciously staking points can be gained!

Tools Used

Manual review.

Recommendations

Validating by stream ID would be the best but also only allowing selected stream types would mitigate the risk.