Fjord Token Staking

Fjord

DeFiFoundry

20,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Single Point of Failure in FjordPoints contract

0bingo76

Summary

The FjordPoints contract is vulnerable due to its dependence on a single owner address for executing critical administrative tasks. This setup presents a serious risk, as the loss or compromise of the owner's private key could lead to irreversible issues, rendering the contract unmanageable. If the owner's private key is lost or compromised Ownership cannot be transferred. This could also mean that the staking contract cannot be updated, potentially breaking core functionality and the points distribution rate cannot be adjusted, making the system inflexible.

These functions control ownership transfer, staking contract updates, and points distribution rate adjustments

function setOwner(address _newOwner) external onlyOwner { ... }

function setStakingContract(address _staking) external onlyOwner { ... }

function setPointsPerEpoch(uint256 _points) external onlyOwner checkDistribution { ... }

Vulnerability Details

Loss or compromise of the owner's private key could lead to the contract becoming unmanageable or stuck in a potentially harmful state.

https://github.com/Cyfrin/2024-08-fjord/blob/0312fa9dca29fa7ed9fc432fdcd05545b736575d/src/FjordPoints.sol#L163

Impact

The contract risks becoming permanently unmanageable which could lead to potential loss of user funds if critical updates cannot be made.

Tools Used

manual code review

Recommendations

You could implement checks to ensure the owner is a contract and potentially verify its interface:

function setOwner(address _newOwner) external onlyOwner {

require(_newOwner.code.length > 0, "New owner must be a contract");

require(IGovernance(_newOwner).supportsInterface(type(IGovernance).interfaceId), "Invalid governance contract");

owner = _newOwner;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Appeal created

0bingo76 Submitter

10 months ago

inallhonesty Lead Judge

10 months ago

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

662

30 USDC / LOC

High Medium

16,000 USDC

Low

2,500 USDC

Judges

1,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.