Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Distributing rewards from all strategies will revert if any fee receiver from any strategy does not implement `onTokenTransfer`, causing DoS

rscodes

Summary

for (uint256 i = 0; i < receivers.length; i++) {

for (uint256 j = 0; j < receivers[i].length; j++) {

if (feesPaidCount == totalFeeCount - 1) {

transferAndCallFrom(

address(this),

receivers[i][j],

balanceOf(address(this)),

"0x"

);

} else {

transferAndCallFrom(address(this), receivers[i][j], feeAmounts[i][j], "0x");

feesPaidCount++;

}

In StakingPool.sol, fee receivers are paid using transferAndCallFrom which calls receiver.onTokenTransfer if the receiver is a contract.

Hence, as long as 1 fee receiver does not implement onTokenTransfer, the call to distribute rewards to ALL fee receivers will revert.

Impact And Likelihood

Impact
- The whole distribution attempt will revert and even fee receivers who abide by the proper implementation will not be able to receive their respective tokens
Likelihood
- There are multiple fee receivers and multiple strategies, and even if one does not follow the proper implementation, the whole transaction will revert and cause fee receivers of other strategies to be unable to receive their tokens

Recommended Steps

It is better to not revert the transaction in the favour of 1 incompatible fee receiver but instead allow the majority to get the yield-bearing shares first, as it would be an opportunity cost for the innocent fee receivers who follow the implementation format if we withhold their shares and end up causing loss of yield.

Protocol could also send the un-distributable fees to the strategies and let the 1 incompatible fee receiver claim it from there later on.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.