Missing Validation for Zero Address in `updateFee` Function
Github
Summary
The updateFee function in the LSTRewardsSplitter contract does not validate whether the _receiver address is valid. As a result, there is a risk of assigning the zero address (address(0)) as the fee receiver. This issue can lead to fund loss since sending rewards to the zero address effectively results in tokens being irretrievably locked or burned. Implementing a check to ensure the _receiver is not the zero address is necessary to prevent this vulnerability.
Vulnerability Details
The relevant code in the updateFee function looks like this:
No Validation for Zero Address (address(0)): The _receiver address is updated without checking whether it is the zero address. If someone inadvertently or maliciously passes address(0) as the _receiver, the contract will still assign it as a valid fee receiver.
Fund Loss Risk: In the event that rewards are sent to address(0), those funds will be irretrievably lost since the zero address is non-recoverable.
Example Scenario
Let’s assume an update is made to the fee schedule with a zero address as the receiver:
In this case, any rewards meant for that fee receiver will be lost, and further transfers to this "fee receiver" will effectively burn the tokens or lock them permanently.
Impact
If the zero address is set as the fee receiver, any rewards directed toward this address will be irretrievably lost, which can potentially result in significant financial losses.
Tools Used
Manual Review
Recommendations
The contract should include a validation check to ensure that the _receiver address is not the zero address.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.