Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing reward split logic in `updateFee` of `LSTRewardsSplitter` contract

bladesec

Summary

updateFee function is used to update a percentage and recipient of a fee receiver.
However it does not distribute already accumulated rewards before updating the fee receiver.

Vulnerability Details

The LSTRewardsSplitter contract has a function updateFee, as implemented below:

function updateFee(
uint256 _index,
address _receiver,
uint256 _feeBasisPoints
) external onlyOwner {
require(_index < fees.length, "Fee does not exist");
if (_feeBasisPoints == 0) {
fees[_index] = fees[fees.length - 1];
fees.pop();
} else {
fees[_index].receiver = _receiver;
fees[_index].basisPoints = _feeBasisPoints;
}
if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();
}

The function does not distribute already accumulated rewards before updating the fee receiver state which it should.

Impact

  • Loss of funds for fee receiver

  • Inconsistent status transition

Tools Used

Manual Review

Recommendations

_splitRewards has to be called in updateFee to distribute accumulated rewards before modifying the fee percentage or receiver.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Appeal created

inallhonesty Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`updateStrategyRewards` is not called before adding & updating the fees

It should be called with try and catch to avoid DOS by receiver.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.