Insufficient Input Validation in addFee() Function
Summary
This report identifies insufficient input validation in the addFee function of the LSTRewardsSplitter contract. The lack of checks for the _receiver address and _feeBasisPoints could lead to unintended consequences, such as fees being directed to an invalid address or exceeding expected limits. Implementing robust validation measures is crucial to maintain the integrity and security of the fee management system.
Vulnerability Details
The addFee function in the LSTRewardsSplitter contract lacks sufficient input validation for the _receiver address and the _feeBasisPoints value. This could lead to unexpected behavior, including the potential addition of fees with invalid or malicious parameters.
Details
Vulnerable Function:
addFeeCode Snippet: https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L140
Impact
Invalid Address: If the
_receiveraddress is invalid (e.g., zero address), it could result in fees being sent to an unintended recipient.
Excessive Fees: Although there is a check after adding the fee, it allows for the temporary addition of fees that may exceed the limit, which could affect contract behavior and trust.
Tools Used
Recommendations
1.Validate _receiver Address: Implement a check to ensure the _receiver address is not the zero address.
2.Validate _feeBasisPoints: Add validation to ensure that _feeBasisPoints is within acceptable limits (e.g., non-negative).
3.Modify Fee Check: Consider validating the total fees before adding a new fee to prevent temporary exceeding of the limit.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.