Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

`LSTRwardsSplitter::constructor` Does Not Check the Total Fee Limit

izuman

Summary

LSTRwardsSplitter::constructor does not check the total fee limit here

constructor(address _lst, Fee[] memory _fees, address _owner) {

controller = ILSTRewardsSplitterController(msg.sender);

lst = IERC677(_lst);

for (uint256 i = 0; i < _fees.length; ++i) {

fees.push(_fees[i]);

}

_transferOwnership(_owner);

}

Vulnerability Details

Since there is no check for the fee limits the fee receivers will not receive the correct amount of fees.

Impact

Whenever LSTRwardsSplitter::_splitRewards is executed the transaction will distribute rewards incorrectly or revert due to a lack of token balance in the contract. Here is the _splitRewards code

function _splitRewards(uint256 _rewardsAmount) private {

for (uint256 i = 0; i < fees.length; ++i) {

Fee memory fee = fees[i];

uint256 amount = (_rewardsAmount * fee.basisPoints) / 10000;

if (fee.receiver == address(lst)) {

IStakingPool(address(lst)).burn(amount);

} else {

lst.safeTransfer(fee.receiver, amount);

}

For example:

Lets say the array of fees is set in the constructor like this:
[50000, 25000, 25000]

In the example above whenever the LSTRwardsSplitter::_splitRewards is executed 5x _rewardsAmount will go to the receiver at index zero, and 2.5x _rewardsAmount will go to index 2 and 3. This will revert if the principalDeposits is not enough to cover the withdrawal otherwise the transaction will be successfull and the LSTRwardsSplitter will be incorrectly drained of funds.

Tools Used

Manual review and Foundry

Recommendations

Make the following change in the contract LSTRwardsSplitter::constructor

constructor(address _lst, Fee[] memory _fees, address _owner) {

controller = ILSTRewardsSplitterController(msg.sender);

lst = IERC677(_lst);

for (uint256 i = 0; i < _fees.length; ++i) {

fees.push(_fees[i]);

}

+@> if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();

_transferOwnership(_owner);

}

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.