#41639 [SC-Insight] Cross-Vault Reward Arbitrage in StakeV2 Allows Yield Theft
Submitted on Mar 17th 2025 at 07:55:55 UTC by @DoD4uFN for Audit Comp | Yeet
Report ID: #41639
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Theft of unclaimed yield
Description
Brief/Intro
The StakeV2
contract allows users to claim staking rewards in the form of shares from different MoneyBrinter
vaults. However, due to improper tracking of reward distributions, users can claim rewards from any whitelisted vault, regardless of which vault was used for their reward distribution. This enables users to exchange lower-value shares for higher-value shares, effectively stealing yield from other stakers.
Vulnerability Details
In StakeV2
, when the manager calls executeRewardDistributionYeet
, the Zapper contract performs a series of operations to convert YEET
tokens into vault shares, which are then allocated as rewards to stakers. However, the contract does not properly associate users’ earned rewards with the specific MoneyBrinter
vault from which they originated.
The
_handleVaultShares
function updates the total vault shares but does not track which vault the shares belong to.The
_verifyAndPrepareClaim
function allows users to withdraw their earned shares from any whitelistedMoneyBrinter
vault, without verifying that their rewards originated from that specific vault.As a result, a user who earned shares from a vault with a lower share price can claim shares from a vault with a higher share price, effectively gaining more value than they are entitled to.
Example Scenario:
A user stakes
YEET
and earns 10 shares in Vault A, where each share is worth $5 (total $50).The user calls
claimRewardsInNative
, but instead of withdrawing from Vault A, they specify Vault B, where each share is worth $10.The contract does not verify the vault mismatch and allows the user to withdraw 10 shares from Vault B, giving them $100 instead of $50.
This results in a net loss of $50 to the protocol and other stakers.
The issue stems from the lack of vault-specific reward tracking in _handleVaultShares
and _verifyAndPrepareClaim
, allowing a user to arbitrage reward shares across different vaults.
Impact Details
This vulnerability allows users to unfairly claim higher-value rewards at the expense of other stakers, leading to direct yield loss to the honest stakers. Depending on the total TVL of the protocol, the impact could lead to significant fund misallocations.
References
StakeV2.sol:executeRewardDistributionYeetStakeV2.sol:_handleVaultSharesStakeV2.sol:claimRewardsInNativeStakeV2.sol:_verifyAndPrepareClaim
Recommended Fix
Track rewards on a per-vault basis to ensure users can only claim from the vault where their rewards originated.
Modify
_handleVaultShares
to store vault-specific reward information.Update
_verifyAndPrepareClaim
to enforce reward claims from the correct vault.
Proof of Concept
Proof of Concept
Manager distributes rewards into a high-value
MoneyBrinter
vault.User stakes tokens.
Manager distributes rewards into a low-value
MoneyBrinter
vault.User earns shares of the low-value vault.
User claims rewards but specifies a high-value
MoneyBrinter
vault.Contract fails to validate vault-specific rewards and allows the user to claim overvalued shares.
User profits by swapping low-value shares for high-value ones, stealing yield from other stakers.
Was this helpful?