Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing events access control in FjordAuctionFactory.sol, FjordPoints.sol and FjordStaking.sol

heim

Summary

The following functions in the FjordAuctionFactory, FjordPoints, and FjordStaking contracts lack events for critical access control parameter changes:

  • AuctionFactory.setOwner(address)

  • FjordPoints.setOwner(address)

  • FjordPoints.setStakingContract(address)

  • FjordStaking.setOwner(address)

  • FjordStaking.setRewardAdmin(address)

This omission makes it difficult to track changes to critical contract parameters, potentially impacting off-chain auditing and monitoring.

Vulnerability Details

Events are critical for logging state changes, especially for access control parameters such as updating the owner of the contract or setting a new staking contract. Missing these events can hinder off-chain systems from accurately tracking and responding to such changes.

Location

  • AuctionFactory.setOwner(address) (src/FjordAuctionFactory.sol#43-46)

    function setOwner(address _newOwner) external onlyOwner {
    owner = _newOwner;
    }

    Kopier kode

  • FjordPoints.setOwner(address) (src/FjordPoints.sol#168-171)

    function setOwner(address _newOwner) external onlyOwner {
    if (_newOwner == address(0)) revert InvalidAddress();
    owner = _newOwner;
    }

    Kopier kode

  • FjordPoints.setStakingContract(address) (src/FjordPoints.sol#178-184)

    function setStakingContract(address _staking) external onlyOwner {
    if (_staking == address(0)) {
    revert InvalidAddress();
    }
    staking = _staking;
    }

    Kopier kode

  • FjordStaking.setOwner(address) (src/FjordStaking.sol#350-353)

    function setOwner(address _newOwner) external onlyOwner {
    owner = _newOwner;
    }

    Kopier kode

  • FjordStaking.setRewardAdmin(address) (src/FjordStaking.sol#355-358)

    function setRewardAdmin(address _rewardAdmin) external onlyOwner {
    rewardAdmin = _rewardAdmin;
    }

Impact

  • Limited Transparency: Off-chain systems may fail to detect changes in critical access control parameters.

  • Auditing Challenges: More challenging to perform thorough audits if access control changes are not properly logged.

  • Operational Risk: Increased risk that unauthorized users may not be promptly detected if ownership or admin rights are changed maliciously.

Tools Used

  • Manual code review

Recommendations

Emit Events

Update the contract functions to emit events whenever critical access control parameters are modified. Example for each function:

AuctionFactory.setOwner(address)

event OwnerUpdated(address indexed previousOwner, address indexed newOwner);
function setOwner(address _newOwner) external onlyOwner {
emit OwnerUpdated(owner, _newOwner);
owner = _newOwner;
}

Kopier kode

FjordPoints.setOwner(address)

event OwnerUpdated(address indexed previousOwner, address indexed newOwner);
function setOwner(address _newOwner) external onlyOwner {
if (_newOwner == address(0)) revert InvalidAddress();
emit OwnerUpdated(owner, _newOwner);
owner = _newOwner;
}

Kopier kode

FjordPoints.setStakingContract(address)

event StakingContractUpdated(address indexed previousStakingContract, address indexed newStakingContract);
function setStakingContract(address _staking) external onlyOwner {
if (_staking == address(0)) revert InvalidAddress();
emit StakingContractUpdated(staking, _staking);
staking = _staking;
}

Kopier kode

FjordStaking.setOwner(address)

event OwnerUpdated(address indexed previousOwner, address indexed newOwner);
function setOwner(address _newOwner) external onlyOwner {
emit OwnerUpdated(owner, _newOwner);
owner = _newOwner;
}

Kopier kode

FjordStaking.setRewardAdmin(address)

event RewardAdminUpdated(address indexed previousRewardAdmin, address indexed newRewardAdmin);
function setRewardAdmin(address _rewardAdmin) external onlyOwner {
emit RewardAdminUpdated(rewardAdmin, _rewardAdmin);
rewardAdmin = _rewardAdmin;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.