From f3238a9685d1b597a1b0c716255a2e40f0350904 Mon Sep 17 00:00:00 2001 From: openhands Date: Wed, 18 Mar 2026 08:09:43 +0000 Subject: [PATCH 1/3] fix: Kraiken.setStakingPool() allows stakingPool == liquidityManager with no guard (#935) Co-Authored-By: Claude Sonnet 4.6 --- onchain/src/Kraiken.sol | 2 ++ onchain/test/Kraiken.t.sol | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/onchain/src/Kraiken.sol b/onchain/src/Kraiken.sol index 9455586..ea2362e 100644 --- a/onchain/src/Kraiken.sol +++ b/onchain/src/Kraiken.sol @@ -43,6 +43,7 @@ contract Kraiken is ERC20, ERC20Permit { // Custom errors error ZeroAddressInSetter(); error AddressAlreadySet(); + error InvalidAddress(); // Modifier to restrict access to the liquidity manager modifier onlyLiquidityManager() { @@ -81,6 +82,7 @@ contract Kraiken is ERC20, ERC20Permit { function setStakingPool(address stakingPool_) external { require(msg.sender == deployer, "only deployer"); if (address(0) == stakingPool_) revert ZeroAddressInSetter(); + if (stakingPool_ == liquidityManager) revert InvalidAddress(); if (stakingPool != address(0)) revert AddressAlreadySet(); stakingPool = stakingPool_; } diff --git a/onchain/test/Kraiken.t.sol b/onchain/test/Kraiken.t.sol index 93c27d7..8dc7ac0 100644 --- a/onchain/test/Kraiken.t.sol +++ b/onchain/test/Kraiken.t.sol @@ -207,6 +207,14 @@ contract KraikenTest is Test { kraiken.setStakingPool(makeAddr("anotherStakingPool")); } + function testSetStakingPoolRejectsLiquidityManager() public { + Kraiken freshKraiken = new Kraiken("KRAIKEN", "KRK"); + address lm = makeAddr("liquidityManager"); + freshKraiken.setLiquidityManager(lm); + vm.expectRevert(Kraiken.InvalidAddress.selector); + freshKraiken.setStakingPool(lm); + } + function testSetStakingPoolOnlyDeployer() public { Kraiken freshKraiken = new Kraiken("KRAIKEN", "KRK"); address nonDeployer = makeAddr("nonDeployer"); From 4c1a3940ec82452d995c932e219f4f0d151c3f5a Mon Sep 17 00:00:00 2001 From: openhands Date: Wed, 18 Mar 2026 08:20:49 +0000 Subject: [PATCH 2/3] ci: retrigger after infra failure (#935) From ee867b256e5bd191a67073056e0c827fc5e81a03 Mon Sep 17 00:00:00 2001 From: openhands Date: Wed, 18 Mar 2026 09:45:43 +0000 Subject: [PATCH 3/3] fix: add symmetric InvalidAddress guard to setLiquidityManager (#935) Co-Authored-By: Claude Sonnet 4.6 --- onchain/src/Kraiken.sol | 1 + onchain/test/Kraiken.t.sol | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/onchain/src/Kraiken.sol b/onchain/src/Kraiken.sol index ea2362e..8a5efaf 100644 --- a/onchain/src/Kraiken.sol +++ b/onchain/src/Kraiken.sol @@ -69,6 +69,7 @@ contract Kraiken is ERC20, ERC20Permit { function setLiquidityManager(address liquidityManager_) external { require(msg.sender == deployer, "only deployer"); if (address(0) == liquidityManager_) revert ZeroAddressInSetter(); + if (liquidityManager_ == stakingPool) revert InvalidAddress(); if (liquidityManager != address(0)) revert AddressAlreadySet(); liquidityManager = liquidityManager_; } diff --git a/onchain/test/Kraiken.t.sol b/onchain/test/Kraiken.t.sol index 8dc7ac0..055a092 100644 --- a/onchain/test/Kraiken.t.sol +++ b/onchain/test/Kraiken.t.sol @@ -187,6 +187,14 @@ contract KraikenTest is Test { kraiken.setLiquidityManager(makeAddr("anotherLiquidityManager")); } + function testSetLiquidityManagerRejectsStakingPool() public { + Kraiken freshKraiken = new Kraiken("KRAIKEN", "KRK"); + address sp = makeAddr("stakingPool"); + freshKraiken.setStakingPool(sp); + vm.expectRevert(Kraiken.InvalidAddress.selector); + freshKraiken.setLiquidityManager(sp); + } + function testSetLiquidityManagerOnlyDeployer() public { Kraiken freshKraiken = new Kraiken("KRAIKEN", "KRK"); address nonDeployer = makeAddr("nonDeployer");