Was this helpful?
Submitted on Mar 16th 2025 at 12:27:35 UTC by @robin_bl4z3 for
Report ID: #41542
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/Yeet.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
The Documentation says the pool's value of 100% is distributed like this
80% of the pot goes to the lastYeet (Winner)
20% goes to the 10 random users
But the 20% is not considered when it comes to addYeetVolume, only the 80% of the deposited amount after tax is. It should be 100% after-tax amount that determines the $Yeet Reward a user should get.
As the docs said (Check reference or screenshot #2 in Attachments), the mechanism is that 15% of every yeet is taxed, then the ValueAftertax is distributed as 80-20. 80% to the winner and 20% to other random winners.
But as you know, when a user participates, they provide $BERA and receive $Yeet as a reward according to the $BERA amount they provided. Aside from tax, the contract only takes 80% as the volume provided by the user, and that determines the $Yeet and Boosted Value they will get. But that seems to be incorrect as the 20% that would go to the other 10 winners is not considered for $Yeet rewards, as the docs said even if the user does not wish to participate but only wants to earn $Yeet rewards they can do so, but they will only be entitled to 80% of their YeetVolume
Users do not get their promised returns as it was stated in the docs (Scrrenshot #1) that calculating BoostedValue depends on how much $BERA an address has yeeted in an epoch (assuming it excludes tax).
Users will be entitled to only 80%of theirYeetVolumeand leaving the20%, which will result in the low amount of $YeetReward andBoostedValue` they will get.
https://docs.yeetit.xyz/yeet/yeet-game/mechanics (YeetingRewards section and Lottery Section)
Consider the amount of $BERA an address has yeeted to calculate the $Yeet and BoostedValue they will receive.
Let's assume that Finding 5 is fixed from the pre-audit (for simplicity)
When we look at the _yeet function, it calls getDistribution which will calculate tax (10% of the total amount), the yeetback amount (20% of the taxed amount), and the PotValue (80% of the taxed amount). and return values
https://github.com/yeet-protocol/contracts/blob/main/src/Yeet.sol#L284C2-L285C38
That means the valueToPot represents the 80% of one winner and valueToYeetback represents 20% of 10 winners, which makes up 100%. But when we go get the addYeetVolume (or BoostedValue). The 80% valueToPot is used to reward the user $Yeet rewards.
https://github.com/yeet-protocol/contracts/blob/main/src/Yeet.sol#L329C8-L330C65
