Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

_authorizedSablierSender parmeter will not revert when it is zero address in the constructor

sabit

Summary

The constructor will not revert if _authorizedSablierSender is not set (i.e., if it's set to address(0)).

Vulnerability Details

The FjordStaking contract's constructor allows for the _authorizedSablierSender parameter to be set to address(0) without reverting. If this occurs, no Sablier senders will be initially authorized, which could prevent users from staking vested FJORD tokens.

constructor(
address _fjordToken,
address _rewardAdmin,
address _sablier,
address _authorizedSablierSender,
address _fjordPoints
) {
if (
_rewardAdmin == address(0) || _sablier == address(0) || _fjordToken == address(0)
|| _fjordPoints == address(0)
) revert InvalidZeroAddress();
startTime = block.timestamp;
owner = msg.sender;
fjordToken = ERC20(_fjordToken);
currentEpoch = 1;
rewardAdmin = _rewardAdmin;
sablier = ISablierV2Lockup(_sablier);
points = IFjordPoints(_fjordPoints);
if (_authorizedSablierSender != address(0)) {
authorizedSablierSenders[_authorizedSablierSender] = true;
}
}

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordStaking.sol#L281C4-L303C6

Impact

If no Sablier senders are authorized, the stakeVested() function will always revert due to the StreamNotSupported error.

Tools Used

Manual review

Recommendations

Make the _authorizedSablierSender a required parameter in the constructor, reverting if it's set to address(0).

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.