Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Inability to update sablier address may cause problems since SablierV2Lockup does not use a proxy

Ward

Summary

There is a lot of interaction with Sablier in the FjordStaking contract, but since Sablier contracts do not use a proxy, the address will have to be changed if a vulnerability is discovered. However, there is no function defined in FjordStaking to change the sablier address.

Vulnerability Details

As you can see by examining the deployment addresses from Sablier's documentation, SablierV2Lockup contracts do not use any proxy; https://docs.sablier.com/contracts/v2/deployments

And in the FjordStaking contract, the sablier address is given in the constructor, but we cannot change it;

constructor(

address _fjordToken,

address _rewardAdmin,

address _sablier,

address _authorizedSablierSender,

address _fjordPoints

) {

if (

_rewardAdmin == address(0) || _sablier == address(0) || _fjordToken == address(0)

|| _fjordPoints == address(0)

) revert InvalidZeroAddress();

startTime = block.timestamp;

owner = msg.sender;

fjordToken = ERC20(_fjordToken);

currentEpoch = 1;

rewardAdmin = _rewardAdmin;

sablier = ISablierV2Lockup(_sablier);

points = IFjordPoints(_fjordPoints);

if (_authorizedSablierSender != address(0)) {

authorizedSablierSenders[_authorizedSablierSender] = true;

}

Impact

If a vulnerability is found in SablierV2Lockup and its address is changed, FjordStaking will also have to make a new deployment. Especially if a vulnerability is found related to streams, it may cause problems for FjordStaking and since we cannot change the sablier address, this may not be prevented.

Tools Used

Foundry

Recommendations

Add a permissioned setter function with the onlyOwner modifier that allows changing the address of sablier.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Appeal created

pessimist Submitter

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.