#41633 [SC-High] Users might lose some of the rewards they’re supposed to get.
Submitted on Mar 17th 2025 at 06:19:51 UTC by @p0wd3r for Audit Comp | Yeet
Report ID: #41633
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Permanent freezing of unclaimed yield
Description
Brief/Intro
Users might lose some of the rewards they’re supposed to get.
Vulnerability Details
During the zapOut
process, the zapper will perform a swap based on the input swapData
, and if there’s any leftover, it’ll return it to the msg.sender
as the comment says.
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/Zapper.sol#L296-L312
User will call zapper.zapOut
through claimRewardsInNative
, meaning the leftover tokens will be returned to the StakeV2
contract instead of the user.
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol#L327-L343
Those tokens should actually belong to the user since they were exchanged using their vault share.
Impact Details
Users might lose some of the rewards they’re supposed to get and it’s really hard for users to set swapData.inputAmount
to match the returned amount
because the price of the share keeps changing.
References
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/Zapper.sol#L296-L312
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol#L327-L343
Proof of Concept
Proof of Concept
The user calls
claimRewardsInNative
and owns 100 vault shares, which at the current market price can be exchanged for 50 token0. So, the user setsswapData.inputAmount
to 50.When the user’s transaction is executed on-chain, the price changes, and 100 vault shares can now be exchanged for 60 token0.
Since the user set
inputAmount
to 50, they only receive the native token equivalent of 50 token0. The remaining 10 token0 are transferred to theStakeV2
contract, and the user can no longer access them, resulting in the user losing the reward equivalent to those 10 token0.
Was this helpful?