#41286 [SC-Critical] `accumulatedDeptRewardsYeet()` accounts for tokens under unstaking process

Submitted on Mar 13th 2025 at 10:45:12 UTC by @peppef for Audit Comp | Yeet

• Report ID: #41286

• Report Type: Smart Contract

• Report severity: Critical

• Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol

• Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

  • Smart contract unable to operate due to lack of token funds

Description

The function accumulatedDeptRewardsYeet() computes the surplus in $YEET token to be later distributed with executeRewardDistributionYeet() as the difference between the contract $YEET balance and totalSupply, namely the sum of the $YEET current staked in StakeV2 contract.

```solidity
function accumulatedDeptRewardsYeet() public view returns (uint256) {
    return stakingToken.balanceOf(address(this)) - totalSupply;
}
```

However if a user calls startUnstake() when he wants to start the unstaking process, his principal amount is removed from totalSupply straight away before the vesting period ends but that amount is still in the contract $YEET balance.

This means that accumulatedDeptRewardsYeet() returns an higher value than it should be and will assign it to accRevToken0. Then executeRewardDistributionYeet() may distribute part of user funds that should be returned to them after the vesting ends.

Under this circumstance that a manager calls executeRewardDistributionYeet() with wrong parameters that passes validations, both rageQuit() and unstake() will be unable to transfer back user stakes due to a lack of funds until someone (treasury or dev team) refund stakeV2 of the necessary $YEET.

Proof of Concept

Proof of Concept

A test is provided for that scenario. Run with forge test --match-test test_issue8 -vvv: