#41895 [SC-Medium] Potential loss of token0, token1 in the MoneyBrinter contract
Was this helpful?
Was this helpful?
Submitted on Mar 19th 2025 at 08:46:59 UTC by @trtrth for
Report ID: #41895
Report Type: Smart Contract
Report severity: Medium
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/MoneyBrinter.sol
Impacts:
Permanent freezing of funds
The function MoneyBrinter::compound()
is expected to be called by manager to compound rewards by swapping harvested tokens, staking in Kodiak vault and depositing into Beradrome farm. However, the unused token0, token1 held by the contract is not handled
The function MoneyBrinter::compound()
calls Zapper::zapInWithMultipleTokens()
to handle zapping in with multiple input tokens.
It is expected behavior that the Zapper contract returns the unused token0, token1 to the vault in the flow of compounding. However, that unused tokens returned to vault contract are not explicitly handled. Besides, if the manager is about to use these tokens for the next compounding, there can be 2 scenarios:
Token0 and token1 are supposed to directly added to the liquidity pool ==> This is not supported by the function Zapper::zapInWithMultipleTokens()
because all input tokens are swapped to token0 and token1
The manager resolves the scenario (1) by swap token0 to token1 and token1 to token0. This case, the swaps will have to suffer slippage/price impacts. ==> The amounts of token0, token1 after swap can be lower than the original amounts ==> The actual amounts to be added into liquidity pool is lower than expected
Token0, token1 held by MoneyBrinter contract can be either stuck or suffer swapping's slippage/price impacts before being added into liquidity pool
https://github.com/immunefi-team/audit-comp-yeet/blob/da15231cdefd8f385fcdb85c27258b5f0d0cc270/src/contracts/Zapper.sol#L230-L240
Rewards are harvested
The manager calls compound()
with all holding rewards
There are unused token0, token1 in the process of zapping in, let's say x
and y
are unsued amount of token0 and token1
The manager can not directly add x
token0 and y
token1 into liquidity pool OR
if the manager tries to swap x
token0 to token1 and y
token1 to token1, then the resulted amounts are x'
token0 and y'
token1. Most of the cases, x' < x
and y' < y
happens => Loss of x - x'
token0 and y - y'
token1 for adding liquidity