Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Wrong byte data value passed to `transferAndCallFrom()` in `_updateStrategyRewards()`

Dup1337

Summary

In transferAndCallFrom() params in StakingPool#_updateStrategyRewards(), "0x" is passed. This is invalid value - if empty value was about to be used, it should be empty string: "".

Vulnerability Details

function _updateStrategyRewards(uint256[] memory _strategyIdxs, bytes memory _data) private {

// [...]

transferAndCallFrom(

address(this),

receivers[i][j],

balanceOf(address(this)),

// @audit it should be "" if it's meant to be empty

"0x"

);

} else {

// @audit it should be "" if it's meant to be empty

transferAndCallFrom(address(this), receivers[i][j], feeAmounts[i][j], "0x");

feesPaidCount++;

}

"0x" literally is passed as byte array of length 2 with 0 and x. It should be empty string: "". While this might not seem to matter, the transfer is done to arbitrary address of receivers[i][j], so there's no guarantee how they will behave in case of non-zero length data input. This may even, in rare cases lead to reverts and DoS the rewards.

Impact

Wrong value passed as empty to transferAndCallFrom(), which may impact some receivers that expect either empty data, or encoded value.

Tools Used

Manual review

Recommendations

Change byte data in transferAndCallFrom() to empty array:

function _updateStrategyRewards(uint256[] memory _strategyIdxs, bytes memory _data) private {

// [...]

transferAndCallFrom(

address(this),

receivers[i][j],

balanceOf(address(this)),

- "0x"

+ ""

);

} else {

- transferAndCallFrom(address(this), receivers[i][j], feeAmounts[i][j], "0x");

+ transferAndCallFrom(address(this), receivers[i][j], feeAmounts[i][j], "");

feesPaidCount++;

}

Updates

Lead Judging Commences

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Validated

Assigned finding tags:

[INVALID] Wrong calldata argument provided to `transferAndCallFrom` in `WithdrawPool::_updateStrategyRewards` results in a revert in `PriorityPool::onTokenTransfer`

Appeal created

inallhonesty Lead Judge

7 months ago

inallhonesty Lead Judge 7 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

[INVALID] Wrong calldata argument provided to `transferAndCallFrom` in `WithdrawPool::_updateStrategyRewards` results in a revert in `PriorityPool::onTokenTransfer`

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.