Loss of LST Tokens Due to Missing Rescue Function in `LSTRewardsSplitterController`
Summary
If users mistakenly call lst.transfer() instead of lst.transferAndCall() to transfer their LST tokens to the LSTRewardsSplitterController contract, the tokens will be permanently locked. This is because the LSTRewardsSplitterController contract lacks a rescue function to refund mistakenly transferred tokens.
Vulnerability Details
The intended way for users to deposit LST tokens into the LSTRewardsSplitterController contract is by calling lst.transferAndCall(). This method ensures that the onTokenTransfer() function is triggered, allowing the contract to handle the tokens appropriately.
However, if users mistakenly call lst.transfer(), which is a common ERC-20 transfer method, the LST tokens will be transferred to the LSTRewardsSplitterController contract without triggering onTokenTransfer(). Since the contract does not have a rescue function to recover these tokens, they will remain locked in the contract.
Likelyhood is very low, but the impact is high.
Impact
Users who incorrectly transfer their LST tokens via lst.transfer() will permanently lose access to their tokens
Tools Used
vscode
Recommendations
Add a rescue or recovery function to the LSTRewardsSplitterController contract that allows an admin to refund mistakenly transferred tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.