Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Incorrect Handling of rewardThreshold in LSTRewardsSplitterController.sol

zibrasismail

Relevant GitHub Links

https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/lstRewardsSplitter/LSTRewardsSplitterController.sol#L75-L88

https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/lstRewardsSplitter/LSTRewardsSplitterController.sol#L92-L108

Summary

The rewardThreshold in the LSTRewardsSplitterController contract is intended to prevent frequent or minimal reward splitting. However, if not correctly enforced, it can lead to unintended behaviors or exploitations.

Vulnerability Details

In LSTRewardsSplitterController.sol, the checkUpkeep function determines if performUpkeep should be called based on reward thresholds:

function checkUpkeep(bytes calldata) external view returns (bool, bytes memory) {

bool[] memory splittersToCall = new bool[]();

bool overallUpkeepNeeded;

for (uint256 i = 0; i < splittersToCall.length; ++i) {

(bool upkeepNeeded, ) = splitters[accounts[i]].checkUpkeep("");

splittersToCall[i] = upkeepNeeded;

if (upkeepNeeded) overallUpkeepNeeded = true;

}

return (overallUpkeepNeeded, abi.encode(splittersToCall));

}

The actual enforcement of rewardThreshold occurs within each splitter:

function performUpkeep(bytes calldata _performData) external {

bool[] memory splittersToCall = abi.decode(_performData, (bool[]));

bool splitterCalled;

for (uint256 i = 0; i < splittersToCall.length; ++i) {

if (splittersToCall[i] == true) {

splitters[accounts[i]].performUpkeep("");

splitterCalled = true;

}

if (splitterCalled == false) {

revert InvalidPerformData();

}

Impact

Insufficient threshold enforcement can lead to frequent, minimal distributions, increasing gas costs and user inconvenience. Attackers might manipulate or exploit thresholds to gain disproportionate rewards or disrupt the intended reward distribution schedule.

Tools Used

Manual Code Review

Recommendations

Consider enforcing rewardThreshold at the controller level to ensure consistent application across all splitters. Validate _performData validation of the encoded data in performUpkeep to prevent manipulation or unintended function executions.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.