#41286 [SC-Critical] `accumulatedDeptRewardsYeet()` accounts for tokens under unstaking process
Was this helpful?
Was this helpful?
Submitted on Mar 13th 2025 at 10:45:12 UTC by @peppef for
Report ID: #41286
Report Type: Smart Contract
Report severity: Critical
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
Smart contract unable to operate due to lack of token funds
The function accumulatedDeptRewardsYeet()
computes the surplus in $YEET token to be later distributed with executeRewardDistributionYeet()
as the difference between the contract $YEET balance and totalSupply
, namely the sum of the $YEET current staked in StakeV2 contract.
However if a user calls startUnstake()
when he wants to start the unstaking process, his principal amount is removed from totalSupply
straight away before the vesting period ends but that amount is still in the contract $YEET balance.
This means that accumulatedDeptRewardsYeet()
returns an higher value than it should be and will assign it to accRevToken0
. Then executeRewardDistributionYeet()
may distribute part of user funds that should be returned to them after the vesting ends.
Under this circumstance that a manager calls executeRewardDistributionYeet()
with wrong parameters that passes validations, both rageQuit()
and unstake()
will be unable to transfer back user stakes due to a lack of funds until someone (treasury or dev team) refund stakeV2 of the necessary $YEET.
A test is provided for that scenario. Run with forge test --match-test test_issue8 -vvv
: