#41377 [SC-Low] Retroactive Reward Cap Manipulation Allows Theft/Loss of Unclaimed Yield
Was this helpful?
Was this helpful?
Submitted on Mar 14th 2025 at 13:31:47 UTC by @DSbeX for
Report ID: #41377
Report Type: Smart Contract
Report severity: Low
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Reward.sol
Impacts:
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Contract fails to deliver promised returns, but doesn't lose value
Theft of unclaimed yield
The Reward contract calculates user rewards for past epochs using the current MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR value instead of the historical value active during those epochs. This allows the contract owner to retroactively alter reward caps, enabling theft of unclaimed yield by increasing/decreasing their own (or others) claimable rewards for past epochs beyond originally intended limits.
The getClaimableAmount
function in Reward.sol
dynamically fetches MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR
from RewardSettings
when calculating rewards for any epoch. Since the owner can change this value at any time, recalculations for past epochs use the new cap instead of the original.
The Exploit scenario:
Epoch 1: MAX_CAP_FACTOR = 30 -> Users can claim up to 1/30 of epoch rewards. Owner contributes 100% of epoch volume
Epoch 2: Owner changes MAX_CAP_FACTOR to 10
Result: Owner's claimable rewards for Epoch 1 increase by 3x(from 1/30 -> 1/10 of rewards).
Theft of unclaimed yield: Owners can siphon unclaimed rewards from past epochs by retroactively loosening caps. Contract fails to deliver promised returns: Users who claimed rewards under original caps receive less than those who claim after changes. Loss Example: If epochRewards = 187,544 and MAX_CAP_FACTOR changes from 30 to 10. Loss per Epoch: 187,544 * (1/10 - 1/30) = 12, 503
Flawed reward calculation logic. https://github.com/immunefi-team/audit-comp-yeet/blob/da15231cdefd8f385fcdb85c27258b5f0d0cc270/src/Reward.sol#L187 Owner-controlled cap adjustment. (41-51 Line) https://github.com/immunefi-team/audit-comp-yeet/blob/da15231cdefd8f385fcdb85c27258b5f0d0cc270/src/RewardSettings.sol#L51
The output: