Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Small rewards may be absorbed leading to asset loss

8olidity

Summary

Small rewards may be absorbed leading to asset loss

Vulnerability Details

In the LSTRewardsSplitter contract, when the splitRewards function processes very small rewards, it may lead to asset loss. Specifically:

  1. If _rewardsAmount is very small, when calculating each receiver's share, amount may become 0 due to rounding:

uint256 amount = (_rewardsAmount * fee.basisPoints) / 10000;

When amount is 0, no transfer operation will be executed:

if (fee.receiver == address(lst)) {
IStakingPool(address(lst)).burn(amount);
} else {
lst.safeTransfer(fee.receiver, amount);
}

Even if no rewards are actually distributed, principalDeposits will still be updated:

principalDeposits = lst.balanceOf(address(this));

Impact

This may cause small rewards to be "absorbed" as they are counted into principalDeposits but not actually distributed to anyone. Long-term accumulation may lead to significant asset loss.

Tools Used

vscode

Recommendations

  1. Set a minimum reward threshold, only execute distribution when _rewardsAmount exceeds a certain value.

  2. Use more precise calculation methods when calculating amount to avoid 0 values due to rounding.

  3. Track undistributed small rewards and distribute them when accumulated to a certain amount.

  4. Check if actual reward distribution has occurred before updating principalDeposits.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.