Liquid Staking

Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Submission Details
Severity: medium
Invalid

Missing Fee Check in `addSplitter` Function

Summary

Missing Fee Check in addSplitter Function

Vulnerability Details

The addSplitter function in the LSTRewardsSplitterController contract allows the addition of new LSTRewardsSplitter instances without verifying the total fees across all splitters. This omission can lead to a scenario where the cumulative fees exceed the intended limit of 10%, violating the protocol's fee structure integrity.If _totalFeesBasisPoints() is greater than 10000 when the contract is created, addFee cannot be called.

function addSplitter(
address _account,
LSTRewardsSplitter.Fee[] memory _fees
) external onlyOwner {
if (address(splitters[_account]) != address(0)) revert SplitterAlreadyExists();
address splitter = address(new LSTRewardsSplitter(lst, _fees, owner()));
splitters[_account] = ILSTRewardsSplitter(splitter);
accounts.push(_account);
IERC677(lst).safeApprove(splitter, type(uint256).max);
}

Impact

Allowing multiple splitters with unchecked fees can result in a total fee percentage greater than 10%. This could unfairly reduce the rewards of stakers and violate the protocol's design parameters, potentially leading to user dissatisfaction and loss of trust.

Tools Used

vscode

Recommendations

Implement a check within the addSplitter function to ensure that the total fees, including those of the new splitter, do not exceed 10%. This will maintain the integrity of the fee structure and protect user interests.

Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.