Summary

In the LSTRewardsSplitter contract, the constructor is missing a critical check to validate that the total fee basis points do not exceed 10000 (100%). While this check is present in the addFee and updateFee functions, it is absent during initialization, leading to a potential risk of incorrect reward allocation.

Vulnerability Details

The constructor of the LSTRewardsSplitter contract does not validate whether the total fee basis points from the _fees array exceed 10000 (100%). This could allow an invalid fee structure to be set during initialization, resulting in reward misallocation.
https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L50-L57

Impact

Without validation, total fees could exceed 100%, leading to more rewards being allocated than available. This would break the reward distribution mechanism and result in reward misallocation or contract failure.

Tools Used

Recommendations

Ensure that the total fee basis points do not exceed 10000 (100%) during initialization, similar to the checks in addFee and updateFee