Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Uninitialized staking address in FjordPoints contract

sabit

Summary

The FjordPoints contract is deployed with the staking address uninitialized. This design choice leads to a temporary loss of core functionality.

Vulnerability Details

The 'staking' address is not set in the constructor when the comment on the constructor stated otherwise:

  • @dev Sets the staking contract address and initializes the ERC20 token.

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordPoints.sol#L116C6-L116C79

Core functions 'onStaked' and 'onUnstaked' are protected by the 'onlyStaking' modifier. The 'onlyStaking' modifier reverts if the caller is not the staking address.

Impact

With 'staking' set to the zero address at deployment, all calls to 'onStaked' and 'onUnstaked' will revert. The contract cannot record staking or unstaking activities until the staking address is set.

Tools Used

Manual review

Recommendations

Modify the constructor to accept the staking address as a parameter:

constructor(address _staking) ERC20("BjordBoint", "BJB") {
if (_staking == address(0)) revert InvalidAddress();
owner = msg.sender;
staking = _staking;
lastDistribution = block.timestamp;
pointsPerEpoch = 100 ether;
}
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.