Fjord Token Staking

Summary

Streams can only be staked if the sender of it is authorized on the FjordStaking contract. This is not consistent with the contest details, code comments and tests where it can be read that authorization is needed only to stake cancellable streams.

Vulnerability Details

stakeVested(uint256) function should accept cancellable streams if they were made by an authorized sender - as stated in contest details - however non-cancellable streams should be accepted from anyone.

Contest details here in Actors section explicitly state:
AuthorizedSender: Address of the owner whose cancellable Sablier streams will be accepted.

We can see that cancellable streams from non-AuthorizedSender will not be accepted. However - any type of stream from non-AuthorizedSender will not be accepted.

See code snippet:
// only allow authorized stream sender to stake cancelable stream

This can be read as: only authorized stream sender is allowed to stake cancellable streams, but anyone can stake non-cancellable streams - which should be the case since non-cancellable stream is guaranteed to deplete on its own.

Before judging this as a design choice - please correspond with sponsors to see this is non-expected behaviour.

Impact

Users CANNOT stake non-cancellable streams if the sender is not authorized on the FjordStaking contract.

Code snippet

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordStaking.sol#L402C1-L402C74

Tools Used

Manual review

Recommendations

Revise code so that it checks if stream is cancellable. If so - make sure its coming from an authorized sender.

Use this function from Sablier interface to check if stream is cancellable:
function isCancelable(uint256 streamId) external view returns (bool result);

Rewrite if condition to following -