Was this helpful?
Submitted on Mar 13th 2025 at 03:27:02 UTC by @xdead4f for
Report ID: #41256
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/RewardSettings.sol
Impacts:
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
The RewardSettings.sol contract contains critical inconsistencies between variable names, comments, and actual implementation logic, creating significant risk of misunderstanding by developers, auditors, and users. This misconception could lead to unexpected reward distribution behavior and potential exploitation.
RewardSettings.sol: Variable MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR
Reward.sol: Integration with the above variable in reward calculation logic
The variable MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR has a comment stating:
This comment suggests:
The value represents a percentage
It should equate to "1/10" of total rewards
But is initialized to 30
These statements are internally inconsistent and don't align with how the value is actually used.
Unintended Reward Distribution: If an admin intends to increase the reward cap by increasing the parameter value (based on its name), they would actually be decreasing the maximum reward.
Whale Exploitation Risk: If mistakenly set too low (e.g., 2 instead of 20), a single wallet could claim up to 50% of epoch rewards, potentially draining the reward pool unfairly.
Given this scenario :
Current setting: 30 → Max reward = ~3.33% of epoch rewards
Admin wants to double maximum rewards
Misled by documentation, changes to 60
Actual result: Max reward = ~1.67% (halved instead of doubled)
