Method removeSplitter()
is used to remove the underlying splitter from the splitters[]. It withdraw()
the amount before removing it. But the balance sent to withdraw()
is calculated wrong. This will lead it to revert every single time. There is also a possibility of DoS as if the malicious user sends some gwei of Lst to splitter contract every time removeSplitter()
is called. Which is lead it always revert.
https://github.com/Cyfrin/2024-09-stakelink/blob/main/contracts/core/lstRewardsSplitter/LSTRewardsSplitterController.sol#L136C1-L139C10
In the removeSplitter()
firstly balance is compared with principalDeposits and then splitter.splitRewards()
is called. From the rewards the fees will be distributed to the recipients and final amount will be always less than balance. So the next call splitter.withdraw(balance, _account);
will revert because of insufficient balance.
The owner will have to wait for rewards to reach rewardThreshold
and then immediately execute both performUpkeep()
and removeSplitter()
to be able to execute it fully. As the balance == principalDeposits
for the removeSplitter()
to be successfull. If the malicious user sandwich these calls and send some wei to underlying splitter contract then the removeSplitter()
will still revert.
Vs Code
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.