Anyone can add rewards despite the `onlyRewardAdmin` modifier only allowing a certain actor to do so
Summary
The onlyRewardAdmin modifier in FjordStaking::addReward function implies that only an authorized actor should be able to add the Fjord token (FJO) to the contract. However, FJO can be freely transfer into the contract by anyone without calling the addReward function.
Vulnerability Details
Any contract or EOA that holds FJO can transfer the tokens into the FjordStaking contract which will then be redistributed among the stakers.
The main difference between transferring funds to the staking contract directly and calling addReward is that:
No check for epoch rollover is performed, leading to potentially incorrect state.
The
RewardAddedevent is not emitted.
Impact
If someone sends FJO to the contract without calling addReward, the internal function _checkEpochRollover will not be triggered. Because of that important state variables like totalRewards, rewardPerToken and currentEpoch may become outdated.
Tools Used
Manual Review
Recommendations
Consider removing the onlyRewardAdmin modifier from FjordStaking::addReward to allow anyone to add rewards while ensuring that important state variables are automatically updated.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.