Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Analysis of Potential Vulnerability in updateFee() Function of LSTRewardsSplitter Contract

8olidity

Summary

Analysis of Potential Vulnerability in updateFee() Function of LSTRewardsSplitter Contract

Vulnerability Details

A potential logic error exists in the updateFee() function of the LSTRewardsSplitter contract, which may prevent the correct deletion of fees.

When attempting to delete a fee with zero basis points, the function performs an update operation instead of a deletion. This occurs because the function logic only executes the deletion operation when the new feeBasisPoints* is zero.*

function addFee(address _receiver, uint256 _feeBasisPoints) external onlyOwner {
_updateStrategyRewards();
fees.push(Fee(_receiver, _feeBasisPoints));
if (_totalFeesBasisPoints() > 3000) revert FeesTooLarge();
}

poc

a. Add a fee with zero basis points.

b. Attempt to delete this fee using the updateFee() function.

c. Observe that the fee is not deleted but updated instead.\

Impact

This vulnerability could prevent the contract owner from deleting existing fees with zero basis points, affecting the contract's flexibility and maintainability.

Tools Used

vscode

Recommendations

Add a check in the updateFee() function to prevent updating a fee to zero:

require(_feeBasisPoints != 0, "Cannot update to zero fee");
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!