Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

`LSTRewardsSplitterController::removeSplitter` Can Be DDOS by Setting a Receiver to The Zero Address

izuman

Summary

The owner of a splitter can prevent the owner of the splitter controller from removing the splitter contract by setting one of the receivers to the zero address. Additionally if the owner of the splitter contract is initially set to address zero it cannot be removed since the transfer will revert whenever the contracts remaining balance is sent to owner which will be address zero.
Here is the code where we can set the receiver:

function addFee(address _receiver, uint256 _feeBasisPoints) external onlyOwner {

fees.push(Fee(_receiver, _feeBasisPoints));

if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();

}

Also here is the code where the splitter is removed in the splitter controller:

function removeSplitter(address _account) external onlyOwner {

ILSTRewardsSplitter splitter = splitters[_account];

if (address(splitter) == address(0)) revert SplitterNotFound();

uint256 balance = IERC20(lst).balanceOf(address(splitter));

uint256 principalDeposits = splitter.principalDeposits();

if (balance != 0) {

if (balance != principalDeposits) splitter.splitRewards();

splitter.withdraw(balance, _account);

}

delete splitters[_account];

uint256 numAccounts = accounts.length;

for (uint256 i = 0; i < numAccounts; ++i) {

if (accounts[i] == _account) {

accounts[i] = accounts[numAccounts - 1];

accounts.pop();

break;

}

IERC677(lst).safeApprove(address(splitter), 0);

}

Vulnerability Details

The owner of the splitter can prevent the owner of the splitter controller from removing the splitter from the contracts mapping.

Whenever the LSTRewardsSplitterController::removeSplitter is called the token will attempt to be transferred to the zero address which will revert.
Lastly, the owner of the splitter contract can remove the zero address fee receiver to collect rewards and add it back whenever they want to prevent LSTRewardsSplitterController::removeSplitter execution.

Impact

Splitter contract cannot be removed from the Splitter Controller contract.

Tools Used

Foundry and manual review

Recommendations

Add a zero address whenever setting the owner of the splitter contract and when adding a fee receiver.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.