Liquid Staking

Summary

The constructor in LSTRewardsSplitter.sol fails to validate the total fee basis points during contract creation. While the functions addFee and updateFee correctly enforce a limit of 10,000 basis points, this safeguard is missing in the constructor. As a result, it is possible to deploy the contract with fees exceeding the intended limit of 10,000 basis points, bypassing the protection present in other parts of the contract, and could lead to reverts or loss of funds when splitting rewards.

Vulnerability Details

In the LSTRewardsSplitter contract, the functions to add/update the fees will revert the transaction if the total basis of all fees exceeds a fixed limit of 10_000.

This check is not implemented for the constructor, allowing for a creation of a contract with higher fees than the limit it is supposed to have.

Note that this type of logic does exist for other checks in the contract, like for the initialization of VaultControllerStrategy, InsurancePool or RebaseController, which makes the lack of it in LSTRewardsSplitter seem like a involuntary omission.

Impact

If the total of basisPoints would exceed 10_000, the splitRewards function, which calculates and distributes rewards based on the fee percentage, will over-allocate rewards to fee recipients.

This can lead to two possible outcomes:

1. Revert: If the total rewards are insufficient to cover the excessive fee, the transaction will revert, halting the reward splitting process.

2. Loss of Funds: If sufficient tokens are deposited, the contract may transfer more tokens than intended to fee recipients, reducing the principal amount available to the contract and effectively leading to a loss of principal.

Both scenarios represent risks to the integrity and proper functioning of the contract.

Tools Used

Manual review.

Recommendations

Update the constructor to revert if the total fees exceed the limit :