Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing reward split logic in `updateFee` of `LSTRewardsSplitter` contract

bladesec

Summary

updateFee function is used to update a percentage and recipient of a fee receiver.
However it does not distribute already accumulated rewards before updating the fee receiver.

Vulnerability Details

The LSTRewardsSplitter contract has a function updateFee, as implemented below:

function updateFee(
uint256 _index,
address _receiver,
uint256 _feeBasisPoints
) external onlyOwner {
require(_index < fees.length, "Fee does not exist");
if (_feeBasisPoints == 0) {
fees[_index] = fees[fees.length - 1];
fees.pop();
} else {
fees[_index].receiver = _receiver;
fees[_index].basisPoints = _feeBasisPoints;
}
if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();
}

The function does not distribute already accumulated rewards before updating the fee receiver state which it should.

Impact

  • Loss of funds for fee receiver

  • Inconsistent status transition

Tools Used

Manual Review

Recommendations

_splitRewards has to be called in updateFee to distribute accumulated rewards before modifying the fee percentage or receiver.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`updateStrategyRewards` is not called before adding & updating the fees

It should be called with try and catch to avoid DOS by receiver.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.