Fjord Token Staking

Summary

The FjordPoints and FjordStaking contracts fail to emit events for several important state-changing functions. This omission reduces transparency and potentially introduces security risks. Specifically, functions such as setOwner, setStakingContract, and setPointsPerEpoch in FjordPoints, and setOwner, setRewardAdmin, addAuthorizedSablierSender, and removeAuthorizedSablierSender in FjordStaking do not emit events when called.

Vulnerability Details

1. FjordPoints Contract: The following functions change critical state variables without emitting events:

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordPoints.sol#L163

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordPoints.sol#L172

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordPoints.sol#L184

1. FjordStaking Contract: Similarly, the following functions lack event emissions:

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordStaking.sol#L347

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordStaking.sol#L352

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordStaking.sol#L357

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordStaking.sol#L361

Impact

Without event logs, it becomes harder to audit the history of critical changes, complicating security reviews and incident investigations.

Tools Used

Manual Review

Recommendations

Add event emissions for all state-changing functions