#41487 [SC-Critical] Updates totalSupply before transferring the tokens which causes calculating more reward tokens
Was this helpful?
Was this helpful?
Submitted on Mar 15th 2025 at 20:18:10 UTC by @Yaneca_b for
Report ID: #41487
Report Type: Smart Contract
Report severity: Critical
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
The totalSupply
variable is reduced immediately during startUnstake()
— before tokens are fully unlocked from vesting. This leads to inflated reward calculations, allowing malicious users to initiate vesting, claim an unfairly high proportion of rewards, and exit without penalty. If exploited in production, the staking pool could be drained, leaving honest stakers with little to no rewards.
The core issue lies within the startUnstake()
function:
Here, totalSupply
is decremented immediately when the unstake process starts, even though the tokens are still technically held within the contract under vesting. This results in a misleadingly lower totalSupply
, which artificially increases the share of rewards each remaining staker receives — including the attacker, who still has their full reward eligibility.
When the totalSupply
is reduced but the corresponding rewards are not properly transferred, the accumulatedDeptRewardsYeet()
function returns an inflated rewards amount. This results in an over-distribution of staked funds as rewards, potentially draining the contract’s balance. Over time, this imbalance can lead to insolvency, leaving the protocol unable to meet user withdrawals or honor legitimate reward distributions.
https://github.com/immunefi-team/audit-comp-yeet/blob/da15231cdefd8f385fcdb85c27258b5f0d0cc270/src/StakeV2.sol#L149 https://github.com/immunefi-team/audit-comp-yeet/blob/da15231cdefd8f385fcdb85c27258b5f0d0cc270/src/StakeV2.sol#L255