Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Incorrect Error Revert in ` setRewardsReceiver::OperatorVault.sol `

mahivasisth

Summary

The setRewardsReceiver function contains an incorrect revert error when validating the caller. Specifically, when rewardsReceiver is set to the zero address and the caller is not the contract owner, the function reverts with the OnlyRewardsReceiver error instead of the intended OnlyOwner error.

Vulnerability Details

Issue: The function checks whether the rewardsReceiver is the zero address and if the caller is not the contract owner. If both conditions are met, the function reverts with an incorrect error: OnlyRewardsReceiver. This creates confusion as the caller expects a revert with OnlyOwner, indicating that only the owner should be able to set the receiver in such a case.

Code Snippet

https://github.com/Cyfrin/2024-09-stakelink/blob/f5824f9ad67058b24a2c08494e51ddd7efdbb90b/contracts/linkStaking/OperatorVault.sol#L260-L267

function setRewardsReceiver(address _rewardsReceiver) public {

if (rewardsReceiver != address(0) && msg.sender != rewardsReceiver)

revert OnlyRewardsReceiver();

// @audit-issue : revert with wrong error .

@-> if (rewardsReceiver == address(0) && msg.sender != owner()) revert OnlyRewardsReceiver();

if (_rewardsReceiver == address(0)) revert ZeroAddress();

rewardsReceiver = _rewardsReceiver;

emit SetRewardsReceiver(_rewardsReceiver);

}

Impact

It may cause confusion during debugging or when trying to understand why certain conditions are failing, especially for users or developers interacting with the contract.

Tools Used

Manual review

Recommendations

Update the conditional check to revert with the correct OnlyOwner error message when the caller is not the owner and the rewardsReceiver is the zero address.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.