Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Unauthorized Access to Reward Distribution Functions in LSTRewardsSplitter.sol

canbooo

Summary

The LSTRewardsSplitter contract lacks adequate access control, allowing unauthorized users to invoke critical functions such as performUpkeep, splitRewards, and indirectly _splitRewards. This vulnerability can lead to unauthorized manipulation of reward distributions.

Vulnerability Details

During testing, it was observed that unauthorized accounts were able to call the performUpkeep and splitRewards functions without proper access restrictions. This lack of access control permits any user to initiate reward splitting processes, potentially leading to unauthorized rewards being distributed to unintended recipients.

Please paste this test to lst-rewards-splitter.test.ts

PoC

describe('Unauthorized Access Test', function () {

it('should not allow unauthorized users to call performUpkeep or splitRewards', async function () {

const { signers, accounts, controller, token, splitter0 } = await loadFixture(deployFixture);

// Unauthorized signer (not account[0] or account[1] who are the splitters)

const unauthorizedSigner = signers[2];

// Attempt to call performUpkeep by unauthorized user

await token.transfer(splitter0.target, toEther(100));

await expect(

controller.connect(unauthorizedSigner).performUpkeep(

ethers.AbiCoder.defaultAbiCoder().encode(['bool[]'], [[true, false]])

)

).to.be.revertedWithCustomError(controller, 'SenderNotAuthorized()');

// Attempt to call splitRewards by unauthorized user directly on the splitter

await expect(

splitter0.connect(unauthorizedSigner).splitRewards()

).to.be.revertedWithCustomError(splitter0, 'SenderNotAuthorized()');

// Ensure no rewards were transferred

assert.equal(fromEther(await token.balanceOf(accounts[5])), 0);

assert.equal(fromEther(await token.balanceOf(accounts[6])), 0);

})

});

Unauthorized Signer: I added signers[2] as an unauthorized signer who is trying to access the critical functions.

performUpkeep: The unauthorized signer tries to call the performUpkeep function, but it should revert with a SenderNotAuthorized() error.

splitRewards: Similarly, the unauthorized signer attempts to call splitRewards directly on the splitter, but it should also revert with the appropriate error.

Final Assertions: After attempting unauthorized access, we check that no rewards were transferred to the accounts.

But in the end it does not revert.

Impact

This vulnerability poses a significant risk to the integrity of the reward distribution mechanism. Unauthorized users could exploit this flaw to siphon rewards intended for legitimate recipients, resulting in financial losses and undermining trust in the system. If exploited, this could lead to severe reputational damage and loss of user confidence.

Tools Used

Manual review

Recommendations

Implement robust access control mechanisms to ensure that only authorized users can invoke critical functions like performUpkeep and splitRewards.

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.