Summary
In the contract StakingRewardsPool the parameter totalShares
is not initialized.
Vulnerability Details
Only one point for initialization is in _mintShares
function.
function _mintShares(address _recipient, uint256 _amount) internal {
require(_recipient != address(0), "Mint to the zero address");
if (totalShares == 0) {
shares[address(0)] = DEAD_SHARES;
totalShares = DEAD_SHARES;
_amount -= DEAD_SHARES;
}
totalShares += _amount;
shares[_recipient] += _amount;
}
Impact
Checking if (totalShares == 0)
each time a function is invoked can be gas-consuming.
And please check _burn
function. Here, totalShares -= sharesToBurn
can result in a value overflow and revert.
* @notice Burns shares belonging to an account
* @dev takes an LST amount and calculates the amount of shares it corresponds to
* @param _account account to burn shares for
* @param _amount LST amount
*/
function _burn(address _account, uint256 _amount) internal override {
uint256 sharesToBurn = getSharesByStake(_amount);
require(_account != address(0), "Burn from the zero address");
require(shares[_account] >= sharesToBurn, "Burn amount exceeds balance");
totalShares -= sharesToBurn;
shares[_account] -= sharesToBurn;
emit Transfer(_account, address(0), _amount);
}
Tools Used
forge
Recommendations
Please set a default value for totalShares
to avoid checking its value each time.