Liquid Staking
Stakelink
DeFiHardhatOracle
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

checkupkeep does not reference rewardThreshold in determining whether to call performupkeep

kwakudr

Summary

checkupkeep does not reference rewardThreshold in determining whether to call performupkeep

Vulnerability Details

function checkUpkeep(bytes calldata) external view returns (bool, bytes memory) {
bool[] memory splittersToCall = new bool[]();
bool overallUpkeepNeeded;
for (uint256 i = 0; i < splittersToCall.length; ++i) {
(bool upkeepNeeded, ) = splitters[accounts[i]].checkUpkeep("");
splittersToCall[i] = upkeepNeeded;
if (upkeepNeeded) overallUpkeepNeeded = true;
}
return (overallUpkeepNeeded, abi.encode(splittersToCall));
}

The checkUpkeep function iterates over all splitters in the accounts array and encodes whether they need splitting, but there’s no check to ensure if the rewards have exceeded the rewardThreshold set for splitting.

The threshold (rewardThreshold) is defined in the contract but never actually referenced in checkUpkeep to determine whether to call performUpkeep.

Impact

returns from checkupkeep will be incorrect and performupkeep will be called in situations when there are no rewards which is not intended.

Tools Used

Manual Review

Recommendations

In checkUpkeep, add a check to determine whether the splitter has rewards exceeding rewardThreshold before returning upkeepNeeded. This ensures upkeep is only performed when rewards exceed the defined threshold.

Updates

Lead Judging Commences

inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.