Liquid Staking

Summary

The LSTRewardsSplitter contract's fee management system can enter a state where it's impossible to add new fees or modify existing ones without first reducing the total fee percentage, even after removing a fee. This can lead to operational difficulties and potential contract inflexibility

Vulnerability Details

In the updateFee function, when a fee is set to zero basis points (effectively removing it), the contract does not automatically redistribute or reduce the total fee percentage. This can result in a situation where:

• The total fees reach the maximum of 10,000 basis points (100%).

• A fee is removed using updateFee with zero basis points.

• The remaining fees still sum to 10,000 basis points.

• New fees cannot be added because they would exceed the 10,000 basis point limit.
  Relevant code:

Impact

• Contract Inflexibility: Once the total fees reach 100%, removing a fee doesn't create space for new fees, leading to a potentially "locked" state.

• Operational Complexity: Managing fees becomes more complex, potentially requiring multiple transactions to adjust fees as desired.

• Unintuitive Behavior: Users might expect that removing a fee would allow for the addition of new fees, but this isn't necessarily the case.

• Potential for Stuck State: The contract could end up in a state where fees can't be added or modified without first reducing existing fees, which might require additional governance actions or contract upgrades.

Tools Used

Manual code review

Recommendations

Implement Proportional Redistribution: When a fee is removed, redistribute its basis points proportionally among the remaining fees. This ensures that removing a fee always creates space for potential new fees.