Was this helpful?
Submitted on Mar 19th 2025 at 03:16:10 UTC by @OxSimao for
Report ID: #41873
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/MoneyBrinter.sol
Impacts:
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
MoneyBrinter.sol incorrectly undercharges borrowing fee due to a math error.
MoneyBrinter.sol implements previewWithdraw() and previewRedeem() and calculates the result including the exit fee, exitFeeBasisPoints. However, this calculation is incorrect.
Suppose there are 1000 assets and shares, user wants to withdraw 100 assets and calls withdraw(), internally calling previewWithdraw() to calculate the fee. feeBasisPoints is 1000 (10%) and _BASIS_POINT_SCALE is 1e4.
So, calling previewWithdraw() with 100 assets returns 110 shares. However, this fee is smaller than feeBasisPoints = 10%, as 110 shares should give 110 * 0.9 = 99 shares, which is 99 assets also given same total supply and total assets. The actual fee applied is:
110 shares are worth 110 assets;
out of 110 assets, 100 assets are withdrawn
1 - 100/110 = 0.091, so the fee is actually 9.1%. This represents a 0.9% fee loss.
Issue is similar for previewRedeem().
Significant fee loss, if fee is 10%, actual fee is 9.1%, showing a 0.9% fee loss.
https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/MoneyBrinter.sol?utm_source=immunefi#L142-L150
Described in the report above but it boils down to:
User calls MoneyBrinter::withdraw(), but instead of paying an exit fee of 10%, pays 9.1%.
