Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Potential Truncation and Dilution Vulnerability in FjordPoints::distributePoints Function

fakemonkgin

Summary

The distributePoints function in the FjordPoints contract contains a potential vulnerability related to the truncation of the weeksPending value and the dilution of rewards for early stakers. Specifically, if weeksPending has a fractional component, it will be truncated to an integer, potentially leading to delayed distribution of points. Additionally, if new users stake tokens just before the points distribution, the rewards for early stakers may be diluted, leading to an unfair distribution of points.

Vulnerability Details

function distributePoints() public {

if (block.timestamp < lastDistribution + EPOCH_DURATION) {

return;

}

if (totalStaked == 0) {

return;

}

@> uint256 weeksPending = (block.timestamp - lastDistribution) / EPOCH_DURATION;

pointsPerToken =

pointsPerToken.add(weeksPending * (pointsPerEpoch.mul(PRECISION_18).div(totalStaked)));

totalPoints = totalPoints.add(pointsPerEpoch * weeksPending);

lastDistribution = lastDistribution + (weeksPending * 1 weeks);

emit PointsDistributed(pointsPerEpoch, pointsPerToken);

}

Dilution of Rewards: If new users stake tokens just before the distribution of points, the rewards for earlier stakers may be diluted. The pointsPerToken calculation uses the current totalStaked amount, which includes any recent stakes. This can lead to a situation where early stakers receive fewer points than they should have, due to the sudden increase in total staked tokens.

Truncation of weeksPending: The division of (block.timestamp - lastDistribution) by EPOCH_DURATION results in a uint256 value for weeksPending. If this value has a fractional component, it will be truncated, potentially leading to an underestimation of the actual time that has passed since the last distribution. This can delay the distribution of points, affecting the overall reward mechanism.

Impact

Dilution Impact: The dilution of rewards due to late staking can cause unfair distribution of points, where early stakers, who have contributed to the pool for a longer time, receive fewer rewards than expected. This undermines the fairness and integrity of the staking mechanism.

Truncation Impact: The truncation of weeksPending can lead to delayed point distributions, meaning that stakers might not receive the rewards they are entitled to in a timely manner. This delay can compound over time, leading to larger discrepancies in reward distribution.

Tools Used

Manual Review

Recommendations

To prevent dilution, consider locking the staking function during the distribution process. This ensures that the totalStaked value remains consistent throughout the calculation and distribution of points, preventing any late stakers from diluting rewards.

Instead of truncating weeksPending, consider implementing logic to handle fractional epochs. For example, calculate the points for the fractional week separately to ensure that all time periods are accounted for in the distribution.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.