#41633 [SC-High] Users might lose some of the rewards they’re supposed to get.
Submitted on Mar 17th 2025 at 06:19:51 UTC by @p0wd3r for Audit Comp | Yeet
Report ID: #41633
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Permanent freezing of unclaimed yield
Description
Brief/Intro
Users might lose some of the rewards they’re supposed to get.
Vulnerability Details
During the zapOut
process, the zapper will perform a swap based on the input swapData
, and if there’s any leftover, it’ll return it to the msg.sender
as the comment says.
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/Zapper.sol#L296-L312
/// @dev Bera is sent to the receiver. Any extra token0 and token1 is sent back to the _msgSender().
/// @dev integrating contracts must handle any returned token0 and token1
function zapOutNative(
address receiver,
SingleTokenSwap calldata swapData0,
SingleTokenSwap calldata swapData1,
IZapper.KodiakVaultUnstakingParams calldata unstakeParams,
IZapper.VaultRedeemParams calldata redeemParams
) public nonReentrant onlyWhitelistedKodiakVaults(unstakeParams.kodiakVault) returns (uint256 totalNativeOut) {
(IERC20 token0, IERC20 token1, uint256 token0Debt, uint256 token1Debt) = _yeetOut(redeemParams, unstakeParams);
if (token0Debt == 0 && token1Debt == 0) {
return (0);
}
totalNativeOut = _swapToWBERA(token0, token1, token0Debt, token1Debt, swapData0, swapData1);
_sendNativeToken(receiver, totalNativeOut);
}
function _swapToWBERA(
IERC20 token0,
IERC20 token1,
uint256 token0Debt,
uint256 token1Debt,
SingleTokenSwap calldata swapData0,
SingleTokenSwap calldata swapData1
) internal returns (uint256 wBeraDebt) {
if (address(token0) == address(wbera)) {
wBeraDebt += token0Debt;
token0Debt = 0;
} else {
wBeraDebt += _verifyTokenAndSwap(swapData0, address(token0), address(wbera), address(this));
token0Debt -= swapData0.inputAmount;
}
if (address(token1) == address(wbera)) {
wBeraDebt += token1Debt;
token1Debt = 0;
} else {
wBeraDebt += _verifyTokenAndSwap(swapData1, address(token1), address(wbera), address(this));
token1Debt -= swapData1.inputAmount;
}
// log yeetBalance
_clearUserDebt(token0, token1, token0Debt, token1Debt, _msgSender());
}
User will call zapper.zapOut
through claimRewardsInNative
, meaning the leftover tokens will be returned to the StakeV2
contract instead of the user.
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol#L327-L343
function claimRewardsInNative(
uint256 amountToWithdraw,
IZapper.SingleTokenSwap calldata swapData0,
IZapper.SingleTokenSwap calldata swapData1,
IZapper.KodiakVaultUnstakingParams calldata unstakeParams,
IZapper.VaultRedeemParams calldata redeemParams
) external nonReentrant {
_updateRewards(msg.sender);
IZapper.VaultRedeemParams memory updatedRedeemParams = _verifyAndPrepareClaim(amountToWithdraw, redeemParams);
IERC20(redeemParams.vault).approve(address(zapper), amountToWithdraw);
uint256 receivedAmount =
zapper.zapOutNative(msg.sender, swapData0, swapData1, unstakeParams, updatedRedeemParams);
emit Claimed(msg.sender, receivedAmount);
}
Those tokens should actually belong to the user since they were exchanged using their vault share.
Impact Details
Users might lose some of the rewards they’re supposed to get and it’s really hard for users to set swapData.inputAmount
to match the returned amount
because the price of the share keeps changing.
References
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/Zapper.sol#L296-L312
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol#L327-L343
Proof of Concept
Proof of Concept
The user calls
claimRewardsInNative
and owns 100 vault shares, which at the current market price can be exchanged for 50 token0. So, the user setsswapData.inputAmount
to 50.When the user’s transaction is executed on-chain, the price changes, and 100 vault shares can now be exchanged for 60 token0.
Since the user set
inputAmount
to 50, they only receive the native token equivalent of 50 token0. The remaining 10 token0 are transferred to theStakeV2
contract, and the user can no longer access them, resulting in the user losing the reward equivalent to those 10 token0.
Was this helpful?