Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Miss Handling of Zero WIthdrawers

eagles

Summary

Vulnerability Details

The ```LSTRewardsSplitter::withdraw``` does not have the right check that can stop the withdrawal of zero amount from the contract, this can lead to unnecessary state changes or other unintended behaviors.

Impact

function withdraw(uint256 _amount, address _receiver) external onlyController {
principalDeposits -= _amount;
lst.safeTransfer(_receiver, _amount);
emit Withdraw(_amount);
}

A contract can fail unexpectedly when this function is called with zero amount, which may block further contract operations or disrupt automated workflows that depend on the contract's stability.the ability to withdraw a zero amount could be abused by attackers to execute gas griefing or event spamming attacks. By repeatedly triggering zero-value withdrawals, malicious actors could create useless transactions, increasing network congestion or bloating event logs.

Tools Used

Manual Review

Recommendations

To prevent these unintended behaviors, it's best to include a validation check to ensure the withdrawal amount is greater than zero:

function withdraw(uint256 _amount, address _receiver) external onlyController {
require(_amount > 0, "Cannot withdraw zero amount"); // Check for non-zero withdrawal
principalDeposits -= _amount;
lst.safeTransfer(_receiver, _amount);
emit Withdraw(_amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.