Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Risk of 100% Operator Reward Fee in `setOperatorRewardPercentage` Function

0xbeastboy

Github

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/OperatorVCS.sol#L405

Summary

The OperatorVCS contract allows the owner to set the operator reward percentage through the setOperatorRewardPercentage function. If the percentage is set to 100% (10000 basis points), all rewards generated by the protocol will go to operators, leaving no rewards for stakers or liquidity providers. This creates a significant vulnerability that could disrupt the economic balance of the system, leading to liquidity drain, participant exit, and overall protocol instability.

Vulnerability Details

The setOperatorRewardPercentage function allows the owner to specify the proportion of rewards allocated to operators. The function does not impose limits or constraints other than capping the percentage at 10000 basis points (100%). Here is the relevant function code:

function setOperatorRewardPercentage(uint256 _operatorRewardPercentage) public onlyOwner {

if (_operatorRewardPercentage > 10000) revert InvalidPercentage();

_updateStrategyRewards();

operatorRewardPercentage = _operatorRewardPercentage;

emit SetOperatorRewardPercentage(_operatorRewardPercentage);

}

The absence of a lower cap or balanced distribution mechanism means that the entire reward pool can legally be directed to operators. This over-concentration of rewards introduces multiple vulnerabilities in the system's incentive and governance models.

If the operator reward percentage is set to 10000 basis points (100%), every reward generated by the protocol will go exclusively to operators. This eliminates the incentives for other critical participants, such as stakers and liquidity providers, who may stop engaging with the protocol altogether.

With this configuration, the reward calculation in related functions would look like this:

uint256 opRewards = (uint256(depositChange) * operatorRewardPercentage) / 10000;

If operatorRewardPercentage is 10000, all rewards will go to the operators.

Stakers and liquidity providers play a vital role in maintaining the health and liquidity of the protocol. If they receive no rewards, they lose any incentive to continue participating, leading to mass withdrawal of liquidity from the system.

Impact

Stakers and liquidity providers may exit, leading to decreased protocol engagement. With no rewards for stakers, liquidity could rapidly leave the system, making it difficult to facilitate trades or operations. The owner can unilaterally set 100% rewards for operators, introducing risks of exploitation.

Tools Used

Manual Review

Recommendations

Limit the operator reward percentage to some manageable number like 40% (4000 basis points) etc and also implement a time lock for any changes to the operator reward percentage. This provides advance notice to participants, allowing them to react or exit the system if needed.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.