Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Polygon Staking>Informational findings>The ,addFee, functions can repeat receivers
GeneralOverview
Findings
High (1)
Medium (1)
Low (4)
Informational (7)Centralization risk of upgradability.Rewards remain unclaimed when principalDeposits is zeroNo length check is present on the amounts parameterThe totalStaked function name could be confusingGas optimization in the removeSplitter functionRenumbered vault/validator IDsThe addFee functions can repeat receivers
DiscussionThe logic in _updateStrategyRewards may not need to update all the strategiesThe LSTRewardsSplitter's splitting is not path-independent, which may have cross-protocol implicationsCalling checkUpkeep on chain is against the automation documentation and may revert or waste gas
Threat ModelWhat are threat models?LSTRewardsSplitter.solLSTRewardsSplitterController.solPolygonFundFlowController.solPolygonStrategy.solPolygonVault.sol
Audit ResultsAssessment Results
Category: Business Logic

The addFee functions can repeat receivers

Informational Severity
Informational Impact
N/A Likelihood

Description

In the PolygonStrategy contract, the addFee function adds a new receiver with an assigned split of the fee:

function addFee(address _receiver, uint256 _feeBasisPoints) external onlyOwner {
    _updateStrategyRewards();
    fees.push(Fee(_receiver, _feeBasisPoints));
    if (_totalFeesBasisPoints() > 3000) revert FeesTooLarge();
    emit AddFee(_receiver, _feeBasisPoints);
}

Similarly, in the LSTRewardsSplitter contract, there is another addFee function that does the same thing:

function addFee(address _receiver, uint256 _feeBasisPoints) external onlyOwner {
    fees.push(Fee(_receiver, _feeBasisPoints));
    if (_totalFeesBasisPoints() > 10000) revert FeesExceedLimit();
}

Both of these addFee functions can add the same receiver multiple times.

Impact

It may be unintuitive to users or external code that a receiver can be present multiple times in the fees array.

Recommendations

We recommend adding a mapping by the receiver address in order to ensure that a receiver is not added twice. If the mapping was public, this would also allow users to easily check what the fee is for a particular receiver without having to iterate across the entire fees array.

Remediation

Zellic © 2025Back to top ↑