Liquid Staking

Summary

The setRewardsReceiver function contains a flawed permission check that allows for unintended behavior. Specifically, the permission logic to set the rewardsReceiver when it is uninitialized (i.e., address(0)) does not properly restrict access, potentially allowing unauthorized users to set the rewardsReceiver. This could lead to security vulnerabilities by enabling unauthorized parties to assume control of reward distribution.

Vulnerability Details

a non-owner account can potentially manipulate the rewards receiver without the owner's explicit permission.

This code is intended to allow only the owner to set the rewardsReceiver when it is uninitialized. However, due to the incomplete permission check, a non-owner might bypass the intended restriction in certain conditions.

mpact

Unauthorized changes: A non-owner could set or change the rewardsReceiver when the contract is in its uninitialized state.

• Security vulnerability: Malicious actors may assume control of the rewardsReceiver and divert rewards intended for other users.

• Loss of trust: If an unauthorized entity takes control, it can cause financial and reputational damage to the contract owner and its users.

Tools Used

Recommendations

Modify the permission check in setRewardsReceiver to explicitly ensure that only the owner can set the initial rewardsReceiver when it is uninitialized, and the current rewardsReceiver can change it thereafter. Here’s the corrected version: