Submission Details
Severity:
The staking contract address is not set in the `FjordPoints::constructor`
Summary
The staking contract address is not set in the FjordPoints::constructor.
Vulnerability Details
FjordPoints::constructor should set the value of the staking state variable, but the setter call (FjordPoints::setStakingContract) is missing:
/**
@> * @dev Sets the staking contract address and initializes the ERC20 token.
*/
constructor() ERC20("BjordBoint", "BJB") {
owner = msg.sender;
lastDistribution = block.timestamp;
pointsPerEpoch = 100 ether;
}
Impact
The following functions will be unavailable due to reverting until FjordPoints::setStakingContract is called: FjordStaking::stake, FjordStaking::stakeVested, FjordStaking::unstake, FjordStaking::unstakeVested, FjordStaking::onStreamCanceled, FjordStaking::unstakeAll.
Tools Used
Manual review.
Recommendations
Call FjordPoints::setStakingContract in the FjordPoints::constructor:
/**
@> * @dev Sets the staking contract address and initializes the ERC20 token.
*/
- constructor() ERC20("BjordBoint", "BJB") {
+ constructor(address _staking) ERC20("BjordBoint", "BJB") {
owner = msg.sender;
lastDistribution = block.timestamp;
pointsPerEpoch = 100 ether;
+ setStakingContract(_staking);
}
Prize pool breakdown
Total prize
20,000 USDC
nSLOC
66230 USDC / LOC
16,000 USDC
2,500 USDC
1,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.