Submission Details
Severity:
`RewardSpilter` owner should be `_account` instead of Owner()
Desription
During deployment of a reward splitter, the ownership of the newly deployed account is given to the owner of the LSTRewardsSplitterController contract.
address splitter = address(new LSTRewardsSplitter(lst, _fees, owner()));
Since _account will be the real owner of the reward, it should be able to specify the fee receivers and their respective portions by calling the LSTRewardsSplitter::updateFee and LSTRewardsSplitter::addFee functions which are onlyOwner functions.
Impact
Inability of the rewards owner to controll fully how his rewards should be distributed.
Tools Used
Manual Review
Recommendation
Consider changing the code in as follows:
- address splitter = address(new LSTRewardsSplitter(lst, _fees, owner()));
+ address splitter = address(new LSTRewardsSplitter(lst, _fees, _account));
Updates
Lead Judging Commences
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
[INVALID] The owner of LSTRewardsSplitter is not set according to the docs
Appeal created
inallhonesty 12 months ago
Submission Judgement Published Reason: Design choice
Assigned finding tags:
[INVALID] The owner of LSTRewardsSplitter is not set according to the docs
Prize pool breakdown
Total prize
50,000 USDC
nSLOC
2,53020
USDC / LOC
42,000 USDC
4,250 USDC
3,750 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.