Liquid Staking

Summary

The reward distribution mechanism in the contract is vulnerable to an issue where rewards are not fully distributed if the sum of all basisPoints for the fees is less than 10000 (i.e., 100%), instead The reward distribution mechanism inaccurately adds undistributed rewards to principalDeposits, which is supposed to represent only the amount of tokens deposited without rewards while emmiting an event stating that the whole _rewardsAmount was distributed.

Vulnerability Details

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L185
The function calculates the reward amount for each fee based on its basis points, but it doesn't ensure that the entire _rewardsAmount is distributed. If the sum of all fee basis points is less than 10000, the remaining rewards are not distributed.These undistributed rewards are incorrectly added to principalDeposits while emmiting an event stating that the whole _rewardsAmount was distributed.

Impact

this report contains a medium severity bug (misallocaiton of rewards) and low severity bug (Misleading Event Logs)
Misallocation of Rewards: By incorrectly attributing rewards to principalDeposits, the contract's accounting becomes inconsistent, and rewards could be effectively "lost" or inaccessible because they are treated as part of the principal balance.

Fund Lockup: Undistributed rewards become part of principalDeposits, which could cause issues when attempting to withdraw or manage rewards, as they are now mixed with principal funds.

Inaccurate Events: The RewardsSplit event will be misleading because it suggests that the entire reward amount was distributed, when a portion of the rewards may have been added to principalDeposits instead.

Tools Used

Manual code review

Recommendations

Ensure that any undistributed rewards are handled separately from principalDeposits