#41907 [SC-High] Unused debt is not send to Reward Claimer
Was this helpful?
Was this helpful?
Submitted on Mar 19th 2025 at 10:03:41 UTC by @Oxgritty for
Report ID: #41907
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
When a user calls claimRewards(claimRewardsInNative/ claimRewardsInToken0/ claimRewardsInToken1/ claimRewardsInToken) function, his reward is converted into his choice of token, during this swapping the amount of token which was not used will be send to StakeV2.sol instead of the user.
When a user calls one of these functions(claimRewardsInNative/ claimRewardsInToken0/ claimRewardsInToken1/ claimRewardsInToken) to claim rewards and inside these functions we call a relevant zapOut function(like Zapper::zapOutNative
for StakeV2::claimRewardsInNative
or Zapper::zapOutToToken0
for StakingV2::claimRewardsInToken0
) in Zapper.sol, Zapper.sol pays back the amount of unused debt to StakeV2.sol and StakeV2 does not send it back to the user.
Reward Claimer loses unused debt, as it is transferred to StakeV2.sol
This issue is present in all 4 claimRewards function:
Same problem with these other 3 functions as well
claimRewardsInToken0
claimRewardsInToken1
claimRewardsInToken
Bob has rewards of 50e18 vaultShares that he wants to claim in Native Token(BERA) using StakeV2::claimRewardsInNative
zapOutNative
will turn 50e18 worth of vaultShares into the following Balances
45e18 (BERA)
2e18 (Token0)
3e18 (Token1)
StakeV2::claimRewardsInNative
Bob calls StakeV2::claimRewardsInNative
with amountToWithdraw=50e18
and function is successfully executed.
For StakeV2
Token0.balanceOf(address(StakeV2)) = 2e18
Token1.balanceOf(address(StakeV2)) = 3e18
BERA.balanceOf(address(StakeV2)) = 0
For Bob
Token0.balanceOf(address(Bob)) = 0
Token1.balanceOf(address(Bob)) = 0
BERA.balanceOf(address(Bob)) = 45e18
claimRewardsInNative
After Zapper::zapInNative
, we should send unused debt back to the user, but we are not doing it.