OsToken::setAvgRewardPerSecond() - L203: Unless intended to be able to set avgRewardPerSecond to 0, there's a missing input validation check.

[hats-bug-reporter[bot]]

Github username: @dappconsulting Submission hash (on-chain): 0xa01ed2f9efb22c5cc229db911375bdc18accea086d8d98d90112fc41aef12566 Severity: low

Description: Description\

OsToken::setAvgRewardPerSecond() - L203: Unless intended to be able to set avgRewardPerSecond to 0, there's a missing input validation check.

https://github.com/stakewise/v3-core/blob/9c30c45878397aa97918cbafcc6a62e4be4bbd4d/contracts/osToken/OsToken.sol#L203

I assume that since one of the primary purposes/functionalities of the StakeWise protocol is to provide rewards to users for staking etc, that it would be an abnormal scenario where avgRewardPerSecond would be set to zero, therefore, I suggest to add the input validation check above the following line:

avgRewardPerSecond = _avgRewardPerSecond;

Check:

if (_avgRewardPerSecond == 0) revert Errors.ZeroValue();

Attack Scenario\ No exploit, but potentially no rewards possible, temporarily, until this state variable's value is changed to non-zero.

Attachments

1. Proof of Concept (PoC) File

2. Revised Code File (Optional)

[tsudmi]

avgRewardPerSecond can be set to 0 to disable rewards accrual for osToken