Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Perform upkeep function can be DoSed due to revert keyword in for loop

demorextess

Summary

Perform upkeep function can be DoSed due to revert keyword in for loop

Vulnerability Details

Perform upkeep functionality is used for updating the state variable of the LSTRewardSplitter. But it can also DoSed by frontrunning due to revert keyword in upkeep function in splitters.

function performUpkeep(bytes calldata _performData) external {

// @audit can be DoSed by frontrunning

bool[] memory splittersToCall = abi.decode(_performData, (bool[]));

bool splitterCalled;

for (uint256 i = 0; i < splittersToCall.length; ++i) {

if (splittersToCall[i] == true) {

&> splitters[accounts[i]].performUpkeep("");

splitterCalled = true;

}

if (splitterCalled == false) {

revert InvalidPerformData();

}

function performUpkeep(bytes calldata) external {

int256 newRewards = int256(lst.balanceOf(address(this))) - int256(principalDeposits);

if (newRewards < 0) {

principalDeposits -= uint256(-1 * newRewards);

} else if (uint256(newRewards) < controller.rewardThreshold()) {

&> revert InsufficientRewards();

} else {

_splitRewards(uint256(newRewards));

}

In attack scenario, whenever performUpKeep() function is called by someone, front-runner can call upkeep only for one splitter and it will revert in revert threshold check.

Impact

Actually, the attack vector doesn't need an attacker in order to cause a DoS. All the function in here are public and most likely will be used by the users. So any upkeep call can affect another users upkeep call from controller which will cause DoS without attacker. In my professional point of view, try and catch in this for loop will keep all the splitters updated and avoid from DoS

Tools Used

Manual Review

Recommendations

Applying try,catch mechanism and doesn't reverting in failure will prevent the DoS

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.