Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

Incorrect Fee Limit Check in addFee Function Allows Total Fees to Exceed 100%

0xbrett8571

Summary

The addFee function in the LSTRewardsSplitter contract has a vulnerability that allows the total fees to exceed the maximum limit of 100%. Because the function adds the new fee to the fees array before checking if the total fees exceed the limit. As a result, if the total fees are already at 100%, adding any new fee will temporarily push the total above the limit, leading to an invalid fee distribution state.

Vulnerability Details

This happens because the function first adds the new fee to the array and then checks if the total fees exceed the limit. If the total fees are already at 100%, adding any new fee will temporarily push the total above the limit before the revert happens, violating the intended behavior of not allowing total fees to exceed 100%.

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L140-L143

function addFee(address _receiver, uint256 _feeBasisPoints) external onlyOwner {

fees.push(Fee(_receiver, _feeBasisPoints)); // <@ Adding new fee before checking total fees limit

if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();

}

In the order of operations within the addFee function. The new fee is added to the fees array using fees.push(Fee(_receiver, _feeBasisPoints)) before checking if the total fees exceed the limit with if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit().

This allows the total fees to temporarily exceed the maximum limit of 10000 basis points (100%) if the total fees are already at the limit before adding the new fee. The check should be performed before adding the new fee to ensure that the total fees never exceed the limit.

Impact

The contract is designed to enforce a maximum total fee limit of 100%. However, the vulnerability allows the total fees to exceed this limit, resulting in an invalid fee distribution state.
If the total fees exceed 100%, it can lead to incorrect calculations of rewards and their distribution among fee receivers. This may result in some receivers getting more rewards than intended, while others may receive less.

Tools Used

Manual Review

Recommendations

Modify the addFee function to perform the limit check before adding the new fee to the fees array. By performing the limit check before adding the new fee, we ensure that the total fees never exceed the maximum limit of 100%, even temporarily.

function addFee(address _receiver, uint256 _feeBasisPoints) external onlyOwner {

+ if (_totalFeesBasisPoints() + _feeBasisPoints > 10000) revert FeesExceedLimit();

fees.push(Fee(_receiver, _feeBasisPoints));

- if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.