Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: high
Invalid

splitRewards function allows for the distribution of rewards without any access control

sabit

Summary

splitRewards function allows for the distribution of rewards without any access control.

Vulnerability Details

  1. The splitRewards function is declared as external without any access modifiers:

    function splitRewards() external {
    // Function body
    }

    https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/core/lstRewardsSplitter/LSTRewardsSplitter.sol#L116

    This function bypasses the rewardThreshold check that is present in the performUpkeep function, as noted in the comment:

    /**
    * @notice Splits new rewards between fee receivers
    * @dev bypasses rewardThreshold
    */

The function allows for the distribution of any positive reward amount, even if it's below the intended threshold:

if (newRewards < 0) {
principalDeposits -= uint256(-1 * newRewards);
} else if (newRewards == 0) {
revert InsufficientRewards();
} else {
_splitRewards(uint256(newRewards));
}

However, there is no restriction as to who can call the function.

Impact

Any external actor can call this function and trigger the distribution of rewards, regardless of their role or permissions in the system.

Tools Used

Manual review

Recommendations

Add appropriate access control to the splitRewards function. This could be done using a modifier similar to onlyController or by restricting it to the contract owner.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.