#41644 [SC-High] `_clearUserDebt` in zapOut function sends the remaining tokens to `msg.sender` instead of receiver.

Submitted on Mar 17th 2025 at 08:22:59 UTC by @OxAnmol for

Report ID: #41644
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/Zapper.sol
Impacts:
- Permanent freezing of funds

Description

Brief/Intro

The Zapper:zapOut function uses _clearUserDebt to send remaining tokens that were not swapped back to the user. However, _msgSender() is incorrectly used as the destination address, which sends funds to the StakerV2 contract instead of the actual user.

Vulnerability Details

When users call claimRewardsInToken, claimRewardInToken1, or claimRewardInToken0 in the StakerV2 contract, they provide a SingleTokenSwap struct as a parameter. This includes an amountIn for the token the user wants to swap from.

function claimRewardsInToken(
    uint256 amountToWithdraw,
    address outputToken,
    IZapper.SingleTokenSwap calldata swap0,
    IZapper.SingleTokenSwap calldata swap1,
    IZapper.KodiakVaultUnstakingParams calldata unstakeParams,
    IZapper.VaultRedeemParams calldata redeemParams
) external nonReentrant {
    _updateRewards(msg.sender);

    IZapper.VaultRedeemParams memory updatedRedeemParams = _verifyAndPrepareClaim(amountToWithdraw, redeemParams);

    IERC20(redeemParams.vault).approve(address(zapper), amountToWithdraw);
    uint256 receivedAmount =
                        zapper.zapOut(outputToken, msg.sender, swap0, swap1, unstakeParams, updatedRedeemParams);

    emit Claimed(msg.sender, receivedAmount);
}

The Zapper:zapOut function performs several operations:

Redeems token1 and token0/YEET and WBERA from Kodiak
Swaps token1 and token0 to the desired output token based on the amountIn provided by the user
Sends the output amount to the user/receiver
Checks if there are any remaining token1 and token0 that were not used for swapping
In step 4, it uses _msgSender() (which is the StakerV2 contract) as the destination for unused tokens instead of the receiver

function zapOut(
    address outputToken,
    address receiver,
    SingleTokenSwap calldata swap0,
    SingleTokenSwap calldata swap1,
    KodiakVaultUnstakingParams calldata unstakeParams,
    VaultRedeemParams calldata redeemParams
)
    public
    override
    nonReentrant
    onlyWhitelistedKodiakVaults(unstakeParams.kodiakVault)
    returns (uint256 totalAmountOut)
{
    (
        IERC20 token0,
        IERC20 token1,
        uint256 token0Debt,
        uint256 token1Debt
    ) = _yeetOut(redeemParams, unstakeParams);
    if (token0Debt == 0 && token1Debt == 0) {
        return totalAmountOut;
    }
    // @note -> Do I need to check this, what happens if I don't.
    if (outputToken == address(token0)) {
        revert("Zapper: Invalid output token");
    } else if (outputToken == address(token1)) {
        revert("Zapper: Invalid output token");
    } else {
        // sent directly to receiver. What is receiver is zapper?
        totalAmountOut += _verifyTokenAndSwap(
            swap0,
            address(token0),
            outputToken,
            receiver
        );
        token0Debt -= swap0.inputAmount;
        totalAmountOut += _verifyTokenAndSwap(
            swap1,
            address(token1),
            outputToken,
            receiver
        );
        token1Debt -= swap1.inputAmount;
    }
    //@audit should I send token0 and token1 to receiver/user ?
->>  _clearUserDebt(token0, token1, token0Debt, token1Debt, _msgSender());
}

Impact Details

Users will lose all tokens that were not used for swapping. According to the impact scope, this constitutes "Permanent freezing of funds," which is a critical severity bug.

References

https://github.com/immunefi-team/audit-comp-yeet/blob/da15231cdefd8f385fcdb85c27258b5f0d0cc270/src/contracts/Zapper.sol#L352

Proof of Concept

Flow

A user calls StakerV2:claimRewardsInToken to claim a reward in USDC. They want to swap 100 token0 and 100 token1 to USDC.
Zapper:zapOut is called and calculates the amounts. Based on the user's stakes, they're eligible for 200 token0 and 200 token1.
_verifyTokenAndSwap swaps 100 token0 and 100 token1 to USDC as specified by the user and sends that to the receiver/user.
Only 100 tokens of each type are utilized, and the remaining 100 of each should be returned to the receiver.

However, in _clearUserDebt, _msgSender() is used as the destination for remaining funds, which is actually the StakerV2 contract, not the user

Previous#42189 [SC-High] User rewards incorrectly transferred to `StakeV2` instead of claimant Next#41688 [SC-Insight] Code can be optimized to to save a significant amount of gas.

Was this helpful?

Vulnerability Details

function claimRewardsInToken(
    uint256 amountToWithdraw,
    address outputToken,
    IZapper.SingleTokenSwap calldata swap0,
    IZapper.SingleTokenSwap calldata swap1,
    IZapper.KodiakVaultUnstakingParams calldata unstakeParams,
    IZapper.VaultRedeemParams calldata redeemParams
) external nonReentrant {
    _updateRewards(msg.sender);

    IZapper.VaultRedeemParams memory updatedRedeemParams = _verifyAndPrepareClaim(amountToWithdraw, redeemParams);

    IERC20(redeemParams.vault).approve(address(zapper), amountToWithdraw);
    uint256 receivedAmount =
                        zapper.zapOut(outputToken, msg.sender, swap0, swap1, unstakeParams, updatedRedeemParams);

    emit Claimed(msg.sender, receivedAmount);
}

The Zapper:zapOut function performs several operations:

Redeems token1 and token0/YEET and WBERA from Kodiak

Swaps token1 and token0 to the desired output token based on the amountIn provided by the user

Sends the output amount to the user/receiver

Checks if there are any remaining token1 and token0 that were not used for swapping

In step 4, it uses _msgSender() (which is the StakerV2 contract) as the destination for unused tokens instead of the receiver

function zapOut(
    address outputToken,
    address receiver,
    SingleTokenSwap calldata swap0,
    SingleTokenSwap calldata swap1,
    KodiakVaultUnstakingParams calldata unstakeParams,
    VaultRedeemParams calldata redeemParams
)
    public
    override
    nonReentrant
    onlyWhitelistedKodiakVaults(unstakeParams.kodiakVault)
    returns (uint256 totalAmountOut)
{
    (
        IERC20 token0,
        IERC20 token1,
        uint256 token0Debt,
        uint256 token1Debt
    ) = _yeetOut(redeemParams, unstakeParams);
    if (token0Debt == 0 && token1Debt == 0) {
        return totalAmountOut;
    }
    // @note -> Do I need to check this, what happens if I don't.
    if (outputToken == address(token0)) {
        revert("Zapper: Invalid output token");
    } else if (outputToken == address(token1)) {
        revert("Zapper: Invalid output token");
    } else {
        // sent directly to receiver. What is receiver is zapper?
        totalAmountOut += _verifyTokenAndSwap(
            swap0,
            address(token0),
            outputToken,
            receiver
        );
        token0Debt -= swap0.inputAmount;
        totalAmountOut += _verifyTokenAndSwap(
            swap1,
            address(token1),
            outputToken,
            receiver
        );
        token1Debt -= swap1.inputAmount;
    }
    //@audit should I send token0 and token1 to receiver/user ?
->>  _clearUserDebt(token0, token1, token0Debt, token1Debt, _msgSender());
}

Proof of Concept

Flow

A user calls StakerV2:claimRewardsInToken to claim a reward in USDC. They want to swap 100 token0 and 100 token1 to USDC.

Zapper:zapOut is called and calculates the amounts. Based on the user's stakes, they're eligible for 200 token0 and 200 token1.

_verifyTokenAndSwap swaps 100 token0 and 100 token1 to USDC as specified by the user and sends that to the receiver/user.

Only 100 tokens of each type are utilized, and the remaining 100 of each should be returned to the receiver.

However, in _clearUserDebt, _msgSender() is used as the destination for remaining funds, which is actually the StakerV2 contract, not the user