#41492 [SC-Insight] Incorrect Reward Value Emitted in `executeRewardDistributionYeet` Function
Was this helpful?
Was this helpful?
Submitted on Mar 15th 2025 at 21:16:25 UTC by @chista0x for
Report ID: #41492
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
In the executeRewardDistributionYeet
function, the event RewardsDistributedToken0
is emitted with accRevToken0
as its parameter, which represents the total accumulated rewards rather than the actual amount distributed. This misrepresentation can lead to inaccurate off-chain tracking and analytics.
The function calculates the accumulated rewards (accRevToken0
) and ensures that the swap's inputAmount
does not exceed this total. However, when approving tokens and executing the swap, only swap.inputAmount
is actually intended to be used for the distribution. Despite this, the event is emitted with accRevToken0
:
This means that the emitted event logs a value that does not accurately reflect the amount of tokens that were actually processed through the swap. As a result, any external monitoring systems or analytics relying on these event logs will have misleading data regarding reward distribution.
Misleading Event Data: The event log reports an inflated reward amount, which could confuse off-chain analytics, user interfaces, or other monitoring tools.
Inaccurate Accounting: Relying on these events for auditing purposes or reward calculations may lead to discrepancies in tracking the actual funds distributed.
Reduced Transparency: The discrepancy undermines the transparency of the reward distribution process, potentially affecting stakeholder trust.
To ensure that the event accurately reflects the actual tokens used for the reward distribution, update the event emission to use swap.inputAmount
instead of accRevToken0
. The modified code should be:
This adjustment will provide a correct representation of the reward distribution and improve off-chain monitoring and auditing processes.
The core issue can be observed in the following snippet:
Here, although swap.inputAmount
is the correct amount intended for the distribution, accRevToken0
(which could be greater) is being emitted, leading to a mismatch in the reported reward amount.