#41419 [SC-Insight] Miscalculation of `maxClaimable` variable leads to users being able to claim too many or too few reward tokens
Was this helpful?
Was this helpful?
Submitted on Mar 15th 2025 at 02:14:26 UTC by @Exp10its for
Report ID: #41419
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Reward.sol
Impacts:
Permanent freezing of unclaimed royalties
Theft of unclaimed royalties
The maxClaimable
variable in getClaimableAmount()
is calculated incorrectly. As a result, users may be able to claim significantly more or less rewards than intended depending on the RewardSettings
configuration.
The maxClaimable
variable in getClaimableAmount()
is calculated as follows:
rewardsSettings.MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR is the percentage of the total rewards in an epoch allowed to be distributed to one user. This is initialised to 30% by default aligning with the protocol docs linked below.
However, instead of multiplying by the value and dividing by 100, the contract currently divides by the value, leading to an incorrect maxClaimable
value. More specifcally, the maxClaimable
value becomes:
(100/rewardsSettings.MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR)%
instead of:
rewardsSettings.MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR%
As a result of this issue, users may be able to claim more or less funds than intended depending on configuration.
If rewardsSettings.MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR is configured to be greater than 10, users owed funds above a certain threshold will permanently not be able to claim some of their funds.
For example, taking the default value of 30, the maxClaimable
value becomes ~3.33% (100/30). Hence, a user having yeeted enough funds to be owed 10% of the rewards for the epoch will only be able to claim ~3.33% losing ~6.66% of their owed rewards.
If rewardsSettings.MAX_CAP_PER_WALLET_PER_EPOCH_FACTOR is configured to be less than 10, users will be able to claim more funds than they are owed, resulting in the theft of protocol funds or unclaimed funds of other users if the balance of the pool reduces below the total claimable rewards.
For example, taking the current onchain value of 5, the maxClaimable
value becomes 20% (100/5). Hence, users can claim up to 20% of the rewards for the epoch, far exceeding the intended 5% limit.
https://docs.yeetit.xyz/yeet/yeet-game/mechanics
The below two tests are derived from the existing test case (which only tests at 10%, an edge case where the current calculation method is equivalent to the correct one). The first test case demonstrates the issue at 30% whereas the second demonstrates it at 5%.