LSTRewardsSplitter.sol possible to avoid small fees
Summary
By calling splitRewards() at appropriate time it's possible to avoid paying small fees.
Vulnerability Details
LSTRewardsSplitter has two external functions to perform the reward splitting performUpkeep() and splitRewards(). Both of which update the new principalDeposits value and transfers the fee to the fee receivers. The difference between them is that splitRewards() allows distributing rewards no matter how small is the amount.
This allows the caller to target specific amounts to avoid paying fees.
Because the fee is calculated as
Worst case scenario the fee array would be composed of multiple 1 basePoint fees. If the reward amounts would be below 10000 this would effectively allow to completely circumvent paying fees. Otherwise it could also be aimed to trigger splitRewards on amounts like 19999, 29999... so the rounding would drop the final amount as much as possible.
Impact
In the end the reward amounts should be miniscule and the caller would likely spend more on gas than win on fees. But the idea is that the caller can call the function at the most beneficial time for themselves rather than the protocol without any guard.
Tools Used
Manual review
Recommendations
Prevent non-authorized users to call splitRewards() and only allow using performUpkeep() which has an included check so the rewards would at least cross the rewardThreshold and fee evasion would be impossible or explicitly allowed by the set quantity.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.