Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lacking access control and input validation in LSTRewardsSplitterController contract's performUpkeep() function

zoobopukeman

Summary

Lacking proper access control and input validation in LSTRewardsSplitterController contract's performUpkeep() function can lead into corrupting system's states.

Audited scope:

  • 2024-09-stakelink/contracts/core/lstRewardsSplitter/LSTRewardsSplitterController.sol

Vulnerability Details

  1. Calling LSTRewardsSplitterController contract's performUpkeep()

// 2024-09-stakelink/contracts/core/lstRewardsSplitter/LSTRewardsSplitterController.sol
function performUpkeep(bytes calldata _performData) external {
bool[] memory splittersToCall = abi.decode(_performData, (bool[]));

There is no explicit indication that above functions are protected by any access control. This function also does not check input _performData to validate against bad data.

Impact

Anyone can call this function directly with bad _performData to run internal processing, posing a significant security threat to the integrity and functionality of your system.

Recommended Mitigation

Apply onlyChainlink modifier (that checks caller address is from Chainlink nodes) to restrict access and also apply input validation on input _performData:

// 2024-09-stakelink/contracts/core/lstRewardsSplitter/LSTRewardsSplitterController.sol
function performUpkeep(bytes calldata _performData) external onlyChainlink {
_validatePerformData(_performData);
bool[] memory splittersToCall = abi.decode(_performData, (bool[]));
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Too generic

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.