Liquid Staking

Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Submission Details
Severity: high
Invalid

Missing Fee Validation in LSTRewardsSplitter Constructor

Summary

In the LSTRewardsSplitter contract, the constructor is missing a critical check to validate that the total fee basis points do not exceed 10000 (100%). While this check is present in the addFee and updateFee functions, it is absent during initialization, leading to a potential risk of incorrect reward allocation.

Vulnerability Details

The constructor of the LSTRewardsSplitter contract does not validate whether the total fee basis points from the _fees array exceed 10000 (100%). This could allow an invalid fee structure to be set during initialization, resulting in reward misallocation.
https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L50-L57

Impact

Without validation, total fees could exceed 100%, leading to more rewards being allocated than available. This would break the reward distribution mechanism and result in reward misallocation or contract failure.

Tools Used

Recommendations

Ensure that the total fee basis points do not exceed 10000 (100%) during initialization, similar to the checks in addFee and updateFee

if (_totalFeesBasisPoints() > 10000) {
revert FeesExceedLimit();
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.