Active Boosts

#41542 [SC-Insight] The 20% charged as a `yeetback` is not considered as part of `addYeetVolume` and `boostedValue`

Submitted on Mar 16th 2025 at 12:27:35 UTC by @robin_bl4z3 for Audit Comp | Yeet

  • Report ID: #41542

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Yeet.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

The Documentation says the pool's value of 100% is distributed like this

80% of the pot goes to the lastYeet (Winner) 20% goes to the 10 random users But the 20% is not considered when it comes to addYeetVolume, only the 80% of the deposited amount after tax is. It should be 100% after-tax amount that determines the $Yeet Reward a user should get.

Vulnerability Details

As the docs said (Check reference or screenshot #2 in Attachments), the mechanism is that 15% of every yeet is taxed, then the ValueAftertax is distributed as 80-20. 80% to the winner and 20% to other random winners.

But as you know, when a user participates, they provide $BERA and receive $Yeet as a reward according to the $BERA amount they provided. Aside from tax, the contract only takes 80% as the volume provided by the user, and that determines the $Yeet and Boosted Value they will get. But that seems to be incorrect as the 20% that would go to the other 10 winners is not considered for $Yeet rewards, as the docs said even if the user does not wish to participate but only wants to earn $Yeet rewards they can do so, but they will only be entitled to 80% of their YeetVolume

Impact Details

Users do not get their promised returns as it was stated in the docs (Scrrenshot #1) that calculating BoostedValue depends on how much $BERA an address has yeeted in an epoch (assuming it excludes tax).

Users will be entitled to only 80%of theirYeetVolumeand leaving the20%, which will result in the low amount of $YeetReward andBoostedValue` they will get.

References

https://docs.yeetit.xyz/yeet/yeet-game/mechanics (YeetingRewards section and Lottery Section)

Recommendation

Consider the amount of $BERA an address has yeeted to calculate the $Yeet and BoostedValue they will receive.

Proof of Concept

Proof of Concept

Let's assume that Finding 5 is fixed from the pre-audit (for simplicity)

  1. When we look at the _yeet function, it calls getDistribution which will calculate tax (10% of the total amount), the yeetback amount (20% of the taxed amount), and the PotValue (80% of the taxed amount). and return values

  • https://github.com/yeet-protocol/contracts/blob/main/src/Yeet.sol#L284C2-L285C38

        (uint256 valueToPot, uint256 valueToYeetback, uint256 valueToStakers, uint256 publicGoods, uint256 teamRevenue)
        = getDistribution(msg.value);

  1. That means the valueToPot represents the 80% of one winner and valueToYeetback represents 20% of 10 winners, which makes up 100%. But when we go get the addYeetVolume (or BoostedValue). The 80% valueToPot is used to reward the user $Yeet rewards.

  • https://github.com/yeet-protocol/contracts/blob/main/src/Yeet.sol#L329C8-L330C65

        uint256 boostedValue = getBoostedValue(msg.sender, valueToPot, tokenIds);
        rewardsContract.addYeetVolume(msg.sender, boostedValue);
Previous#41528 [SC-High] When claiming rewards in native Bera via `StakeV2.claimRewardsInNative`, excess `token0Debt` or/and `token1Debt` is not returned to the kodiak vault but stuck in `StakeV2` contract.Next#41549 [SC-Critical] users funds can get lost when the executeRewardDistributionYeet function invoked after users unstake

Was this helpful?