#41488 [SC-Insight] In `StakeV2.sol` there exists a critical flaw that allows adversaries to earn more rewards than should be possible for a period of having staked minimal tokens.
Was this helpful?
Was this helpful?
Submitted on Mar 15th 2025 at 20:45:13 UTC by @Oxbakeng for
Report ID: #41488
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Theft of unclaimed yield
Theft of unearned yield/rewards
In StakeV2.sol
, there exists a critical flaw in the reward distribution mechanism that allows adversaries to earn disproportionate rewards by frontrunning reward distribution. Adversaries can stake the minimal amount possible during normal operation, then frontrun reward distributions with a much larger stakes to claim rewards they haven't legitimately earned, creating an unfair advantage and effectively stealing yield from honest long-term stakers.
The vulnerability stems from how the contract calculates and distributes rewards. The core issue is that rewards are calculated based on a user's current balance multiplied by the difference between the current reward index and the user's last recorded index, without considering how long tokens have been staked.
The vulnerable code flow involves several functions:
The _updateRewards() function updates the user's earned rewards and sets their reward index to the current global index:
During reward distribution, the global reward index is updated based on the current total supply:
When calculating rewards, the contract uses the user's current balance:
The key vulnerability is that when a user stakes right before a reward distribution, their newly staked tokens are included in:
The totalSupply
used to calculate the reward index update (diluting rewards for everyone).
Their balanceOf[account]
when they later claim rewards.
This allows them to earn rewards on tokens that weren't staked during the actual reward accumulation period.
This vulnerability allows malicious users to:
Stake the most minimal amount allowed (i.e 1 token) during normal operation.
Monitor for upcoming reward distribution transactions.
Frontrun these transactions with large stakes.
Earn rewards on their entire stake as if it had been staked the entire time.
Potentially unstake shortly after to repeat the process.
The economic impact is significant:
Honest long term stakers receive fewer rewards than they should.
Malicious users receive more rewards than they deserve.
The protocol's reward system is manipulated.
The vulnerability can be exploited repeatedly further compromising the staking system.
I believe this issue is a HIGH Severity issue as it qualifies as "Theft of unclaimed yield", as it allows adversaries to claim rewards they haven't legitimately earned.
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Attacker stakes the most minimal amount allowed/possible i.e 1 wei token amount.
Honest users stake large amount i.e 10k+ tokens.
Adversary monitors the berachain for pending reward distribution transactions, alternatively the routine for reward distribution.
Adversary frontruns with 10k tokens or stakes these tokens on the period distribution will most likely happen, either or will work.
The end result is the adversary gaining more than they should after staking a minimal amount all along vs honest users who staked much more and end up getting way less than they should compared to the adversary getting way more unfairly.
Adversary can unstake the large portion to begin the vesting period and unstake the amount, then repeat when rewards are due again, creating an unfair cycle of rewards theft while attacker remains liquid each time entire tokens are unlocked, meanwhile honest stakers have staked indefinitely.