Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Centralization risk

ManuelSage321

Summary

The protocol has an owner with privileged rights to perform admin tasks that can affect users. Mostly, the owner can update the fee settings and set reward

Vulnerability Details

1) Validation is missing for admin fee setter functions

function setUnusedDepositLimit(uint256 _unusedDepositLimit) external onlyOwner {
unusedDepositLimit = _unusedDepositLimit;
}
function setPriorityPool(address _priorityPool) external onlyOwner {
priorityPool = _priorityPool;
}

2) Important changes initiated by admin should be logged via events.

function setRewardThreshold(uint256 _rewardThreshold) external onlyOwner {
rewardThreshold = _rewardThreshold;
}
}
function setRouter(address _router) external override onlyOwner {

Impact

While the protocol owner is regarded as a trusted party, the owner can change the fee settings and reward handler address without any validation or logging. This can lead to unexpected results and users can be affected.

Tools Used

manual

Recommendations

  • Specify the owner's privileges and responsibilities in the documentation.

  • Log the changes in the important state variables via events

  • Add proper validation for the admin functions.

Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.