Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incorrect Strategy Existence Check in updateStrategyRewards Function

aycozynfada

Summary

The updateStrategyRewards function in the provided Solidity code incorrectly checks if a strategy exists for msg.sender instead of verifying the existence of the strategy by its ID.

Vulnerability Details

https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/StakingPool.sol#L413-L417

  • Function: updateStrategyRewards

  • Issue: The function checks if msg.sender is authorized by verifying if a strategy exists for msg.sender. This is incorrect as it should check the strategy ID instead.

    function below fails as check in if statement assesses the msg.sender instead of each strategy in _strategyIdxs

    function updateStrategyRewards(uint256[] memory _strategyIdxs, bytes memory _data) external {
    if (msg.sender != rebaseController && !_strategyExists(msg.sender))
    revert SenderNotAuthorized();
    _updateStrategyRewards(_strategyIdxs, _data);
    }

Impact

medium

Tools Used

manual review

Recommendations

Modify the function to check the existence of the strategy by its ID rather than msg.sender.

```solidity

function updateStrategyRewards(uint256[] memory _strategyIdxs, bytes memory _data) external {
++for (uint256 i = 0; i < _strategyIdxs.length; i++) {
++uint256 strategyId = _strategyIdxs[i];
++if (msg.sender != rebaseController && !_strategyExists(strategyId))
revert SenderNotAuthorized();
}
_updateStrategyRewards(_strategyIdxs, _data);
}

```

Updates

Lead Judging Commences

inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.