Lack of Access Control in splitRewards Function
Summary
This report highlights a critical vulnerability in the LSTRewardsSplitter contract's splitRewards function, which currently lacks access control mechanisms. This allows any user to invoke the function, potentially leading to unauthorized reward distribution and significant financial risks for stakeholders. It is essential to implement proper access controls to safeguard the integrity of the rewards system and prevent exploitation.
Vulnerability Details
The splitRewards function in the LSTRewardsSplitter contract lacks access control, allowing any user to invoke it and split rewards. This vulnerability can lead to unauthorized access to rewards distribution, potentially resulting in financial losses for stakeholders.
Details
Vulnerable Function:
splitRewardsCode Snippet: https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L116
Impact
Unauthorized Access: Any user can call
splitRewards, allowing them to distribute rewards without proper authorization. This could lead to exploitation, where malicious actors drain rewards meant for legitimate participants.Financial Risk: Stakeholders may incur significant losses due to improper reward distribution.
Tools Used
Recommendations
Implement Access Control: Add modifiers to restrict access to the
splitRewardsfunction, allowing only authorized users (e.g., contract owners or designated roles) to call it.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.