fix: Kraiken.setStakingPool() allows stakingPool == liquidityManager with no guard (#935)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 08:09:43 +00:00 · 2026-03-18 08:09:43 +00:00 · f3238a9685
commit f3238a9685
parent 256377ef1f
2 changed files with 10 additions and 0 deletions
--- a/onchain/src/Kraiken.sol
+++ b/onchain/src/Kraiken.sol
@ -43,6 +43,7 @@ contract Kraiken is ERC20, ERC20Permit {
    // Custom errors
    error ZeroAddressInSetter();
    error AddressAlreadySet();
+    error InvalidAddress();

    // Modifier to restrict access to the liquidity manager
    modifier onlyLiquidityManager() {
@ -81,6 +82,7 @@ contract Kraiken is ERC20, ERC20Permit {
    function setStakingPool(address stakingPool_) external {
        require(msg.sender == deployer, "only deployer");
        if (address(0) == stakingPool_) revert ZeroAddressInSetter();
+        if (stakingPool_ == liquidityManager) revert InvalidAddress();
        if (stakingPool != address(0)) revert AddressAlreadySet();
        stakingPool = stakingPool_;
    }
--- a/onchain/test/Kraiken.t.sol
+++ b/onchain/test/Kraiken.t.sol
@ -207,6 +207,14 @@ contract KraikenTest is Test {
        kraiken.setStakingPool(makeAddr("anotherStakingPool"));
    }

+    function testSetStakingPoolRejectsLiquidityManager() public {
+        Kraiken freshKraiken = new Kraiken("KRAIKEN", "KRK");
+        address lm = makeAddr("liquidityManager");
+        freshKraiken.setLiquidityManager(lm);
+        vm.expectRevert(Kraiken.InvalidAddress.selector);
+        freshKraiken.setStakingPool(lm);
+    }
+
    function testSetStakingPoolOnlyDeployer() public {
        Kraiken freshKraiken = new Kraiken("KRAIKEN", "KRK");
        address nonDeployer = makeAddr("nonDeployer");