Splitter can withdraw more than his deposited LST token from `LSTRewardsSplitter.sol` contract.
Summary
Vulnerability Details
User can deposit lst token through `LSTRewardsSplitterController.sol::onTokenTransfer` function into `LSTRewardsSplitter.sol` contract. and can deposit it's token also from that contract. The issue is that when the user deposit his lst token `LSTRewardsSplitterController.sol::onTokenTransfer` function the amount of deposit for each user is not store, the contract just store the user as splitter, then the splitter can withdraw his token also from that contract. with lack of storing the amount for each user, user can withdraw all amount from contract and there is no check to restrict user to withdraw only amount he own.
Impact
Splitter can stole all the lst token deposited into `LSTRewardsSplitter.sol`.
Tools Used
VSC, Manual Review
Recommendations
in `LSTRewardsSplitterController.sol` store each splitter deposit amount and then during withdraw check the user shouldn't withdraw more than it's deposit.
`LSTRewardsSplitterController.sol`
``` solidity
++ mapping(address splitter => uint256 splitterDepositAmount) public splitterDeposit;
function onTokenTransfer(address _sender, uint256 _value, bytes calldata) external {
if (msg.sender != lst) revert InvalidToken();
if (address(splitters[_sender]) == address(0)) revert SenderNotAuthorized();
splitterDeposit[_sender] += _value;
splitters[_sender].deposit(_value);
}
/**
* @notice Withdraws tokens
* @param _amount amount to withdraw
*/
function withdraw(uint256 _amount) external {
if (address(splitters[msg.sender]) == address(0)) revert SenderNotAuthorized();
if(splitterDeposit[msg.sender] > _amount) revert WithdrawAmountExceedFromDepositedAmount();
splitters[msg.sender].withdraw(_amount, msg.sender);
}
\
```
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.