Liquid Staking

Summary

Contract: LSTRewardsSplitter.sol
Line: 140

The addFee() function in the LSTRewardsSplitter contract lacks proper input validation, which could lead to potential issues or unexpected behavior. Specifically:

• The function doesn't check if the _receiver address is valid (i.e., not the zero address).

• There's no validation to ensure that _feeBasisPoints is greater than zero.

These oversights could allow the contract owner to add fees with invalid receivers or zero basis points, potentially disrupting the reward distribution mechanism or causing unnecessary gas consumption for no-op operations.

Vulnerability Details

Original Code:

Impact

The lack of input validation in the addFee() function could lead to:

• Addition of fees with invalid receiver addresses (zero address), potentially causing loss of funds.

• Creation of zero-value fees, resulting in unnecessary gas consumption and cluttering the fee array.

• Increased complexity in fee management and potential confusion for users or administrators.

These issues may compromise the integrity of the reward distribution system, lead to unexpected behavior, and potentially require manual intervention to correct. While not immediately exploitable, addressing this vulnerability would significantly improve the contract's robustness and reduce the risk of operational errors that could lead to a loss of funds.

Tools Used

Remix IDE Desktop

Recommendations

Code Recommendation: