Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of duplicate check for receiver address in addFee()

sabit

Summary

Lack of duplicate check for receiver address in addFee().

Vulnerability Details

The addFee function allows the same receiver address to be added multiple times to the fee structure.

function addFee(address _receiver, uint256 _feeBasisPoints) external onlyOwner {

fees.push(Fee(_receiver, _feeBasisPoints));

if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();

}

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L140C1-L143C6

For example:

Call addFee with address A and 100 basis points

Call addFee again with the same address A and 200 basis points
Observe that both fee entries are added successfully

Impact

A single address could receive a larger share of rewards than intended.

Tools Used

Manual review

Recommendations

Implement a check in the addFee function to ensure the receiver address is unique.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.