Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Potential Denial of Service via Zero Address Fee Receiver

chainsentryaudits

Summary

The LSTRewardsSplitter and LSTRewardsSplitterController contracts within the stake.link platform allow the contract owner to manage fee receivers through the addFee and updateFee functions. However, these functions lack validation to prevent setting the fee receiver to the zero address (address(0)). If a fee receiver is inadvertently or maliciously set to the zero address, any attempt to distribute rewards will fail, leading to a Denial of Service (DoS) for the reward distribution mechanism.

Vulnerability Details

Adding a Fee with the Zero Address

// As the contract owner, add a fee receiver set to the zero address
splitter.addFee(address(0), 100); // Adds a fee of 1%

Explanation:
The owner calls the addFee function with _receiver set to address(0) and _feeBasisPoints set to 100 (representing 1%). Since there is no validation to prevent the zero address, the fee is successfully added to the fees array.

Attempting to Split Rewards

// Attempt to split rewards which should now fail
splitter.splitRewards();

Explanation:
When splitRewards is invoked, the contract iterates through all configured fees and attempts to transfer the specified fee amount to each receiver. Encountering the zero address as a fee receiver, the safeTransfer function from OpenZeppelin's SafeERC20 library reverts the transaction, causing the entire splitRewards function to fail.

Expected Revert Message

ERC20: transfer to the zero address

Explanation:
The transaction reverts with the message "ERC20: transfer to the zero address" due to the failed attempt to transfer tokens to an invalid address, effectively halting the reward distribution process.

Impact

  • Denial of Service (DoS):
    The inability to distribute rewards disrupts the platform's core functionality, preventing users from receiving their staking rewards.

  • Economic Impact:
    Users relying on timely reward distributions may lose trust in the platform, potentially leading to decreased participation and staking activity.

  • Operational Disruption:
    The platform requires manual intervention by the owner to rectify the fee receiver address, which can delay reward distributions and affect user satisfaction.

Tools Used

Manual Review

Recommendations

Implement Validation Checks

To prevent setting the fee receiver to the zero address, introduce validation within the addFee and updateFee functions.

Updated addFee Function

function addFee(address _receiver, uint256 _feeBasisPoints) external onlyOwner {
require(_receiver != address(0), "Receiver cannot be zero address");
fees.push(Fee(_receiver, _feeBasisPoints));
if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();
}

Explanation:
A require statement ensures that the _receiver is not the zero address before adding the fee, preventing accidental or malicious misconfiguration.

Updated updateFee Function

function updateFee(
uint256 _index,
address _receiver,
uint256 _feeBasisPoints
) external onlyOwner {
require(_index < fees.length, "Fee does not exist");
require(_receiver != address(0) || _feeBasisPoints == 0, "Receiver cannot be zero address");
if (_feeBasisPoints == 0) {
fees[_index] = fees[fees.length - 1];
fees.pop();
} else {
fees[_index].receiver = _receiver;
fees[_index].basisPoints = _feeBasisPoints;
}
if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();
}

Explanation:
The require statement ensures that the _receiver is not the zero address unless the _feeBasisPoints is set to zero, which effectively removes the fee.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.