If the balance differs from principalDeposits, it indicates that rewards have accumulated. The contract then calls splitRewards() to distribute the rewards.

if (balance != principalDeposits) splitter.splitRewards();

In the splitRewards() function of LSTRewardsSplitter, rewards are distributed, and the contract updates principalDeposits to the current balance:

principalDeposits = lst.balanceOf(address(this));

After reward distribution, the removeSplitter function attempts to withdraw the initial balance from the splitter

splitter.withdraw(balance, _account);

However, because the rewards have already been distributed, the balance is reduced, and the contract attempts to withdraw more than what is available. This leads to a failed transaction and a DoS scenario.

Impact

This bug can result in a denial of service when attempting to remove a splitter. A splitter can be malicious/faulty or needs to upgrades and there is a need for removal.

Tools Used

Manual review

Recommendations

Implement a check before the withdraw function to ensure the contract only withdraws the available balance.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago

Submission Judgement Published

Validated

Assigned finding tags:

In `removeSplitter` the `principalDeposits` should be used as an input for `withdraw` instead of balance after splitting the existing rewards.

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.