#41907 [SC-High] Unused debt is not send to Reward Claimer

Previous#41895 [SC-Medium] Potential loss of token0, token1 in the MoneyBrinter contract Next#41911 [SC-Critical] Unstake amount can be zapped before user withdrawal

Was this helpful?

#41907 [SC-High] Unused debt is not send to Reward Claimer

Submitted on Mar 19th 2025 at 10:03:41 UTC by @Oxgritty for

Report ID: #41907
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
- Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

When a user calls claimRewards(claimRewardsInNative/ claimRewardsInToken0/ claimRewardsInToken1/ claimRewardsInToken) function, his reward is converted into his choice of token, during this swapping the amount of token which was not used will be send to StakeV2.sol instead of the user.

Vulnerability Details

When a user calls one of these functions(claimRewardsInNative/ claimRewardsInToken0/ claimRewardsInToken1/ claimRewardsInToken) to claim rewards and inside these functions we call a relevant zapOut function(like Zapper::zapOutNative for StakeV2::claimRewardsInNative or Zapper::zapOutToToken0 for StakingV2::claimRewardsInToken0) in Zapper.sol, Zapper.sol pays back the amount of unused debt to StakeV2.sol and StakeV2 does not send it back to the user.

Impact Details

Reward Claimer loses unused debt, as it is transferred to StakeV2.sol

References

This issue is present in all 4 claimRewards function:

Same problem with these other 3 functions as well

claimRewardsInToken0
claimRewardsInToken1
claimRewardsInToken

Proof of Concept

Step 0: Assumptions we are making

Bob has rewards of 50e18 vaultShares that he wants to claim in Native Token(BERA) using StakeV2::claimRewardsInNative
zapOutNative will turn 50e18 worth of vaultShares into the following Balances
1. 45e18 (BERA)
2. 2e18 (Token0)
3. 3e18 (Token1)

Step 1: Calling `StakeV2::claimRewardsInNative`

Bob calls StakeV2::claimRewardsInNative with amountToWithdraw=50e18 and function is successfully executed.

Step 2: Checking Balances:

For StakeV2
1. Token0.balanceOf(address(StakeV2)) = 2e18
2. Token1.balanceOf(address(StakeV2)) = 3e18
3. BERA.balanceOf(address(StakeV2)) = 0
For Bob
1. Token0.balanceOf(address(Bob)) = 0
2. Token1.balanceOf(address(Bob)) = 0
3. BERA.balanceOf(address(Bob)) = 45e18

Previous#41895 [SC-Medium] Potential loss of token0, token1 in the MoneyBrinter contract Next#41911 [SC-Critical] Unstake amount can be zapped before user withdrawal

Was this helpful?

Submitted on Mar 19th 2025 at 10:03:41 UTC by @Oxgritty for

Report ID: #41907
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
- Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

When a user calls claimRewards(claimRewardsInNative/ claimRewardsInToken0/ claimRewardsInToken1/ claimRewardsInToken) function, his reward is converted into his choice of token, during this swapping the amount of token which was not used will be send to StakeV2.sol instead of the user.

Vulnerability Details

When a user calls one of these functions(claimRewardsInNative/ claimRewardsInToken0/ claimRewardsInToken1/ claimRewardsInToken) to claim rewards and inside these functions we call a relevant zapOut function(like Zapper::zapOutNative for StakeV2::claimRewardsInNative or Zapper::zapOutToToken0 for StakingV2::claimRewardsInToken0) in Zapper.sol, Zapper.sol pays back the amount of unused debt to StakeV2.sol and StakeV2 does not send it back to the user.

Impact Details

Reward Claimer loses unused debt, as it is transferred to StakeV2.sol

References

This issue is present in all 4 claimRewards function:

claimRewardsInNative After Zapper::zapInNative, we should send unused debt back to the user, but we are not doing it.

Same problem with these other 3 functions as well

claimRewardsInToken0
claimRewardsInToken1
claimRewardsInToken

Proof of Concept

Step 0: Assumptions we are making

Bob has rewards of 50e18 vaultShares that he wants to claim in Native Token(BERA) using StakeV2::claimRewardsInNative
zapOutNative will turn 50e18 worth of vaultShares into the following Balances
1. 45e18 (BERA)
2. 2e18 (Token0)
3. 3e18 (Token1)

Step 1: Calling `StakeV2::claimRewardsInNative`

Bob calls StakeV2::claimRewardsInNative with amountToWithdraw=50e18 and function is successfully executed.

Step 2: Checking Balances:

For StakeV2
1. Token0.balanceOf(address(StakeV2)) = 2e18
2. Token1.balanceOf(address(StakeV2)) = 3e18
3. BERA.balanceOf(address(StakeV2)) = 0
For Bob
1. Token0.balanceOf(address(Bob)) = 0
2. Token1.balanceOf(address(Bob)) = 0
3. BERA.balanceOf(address(Bob)) = 45e18

Description

Brief/Intro

Vulnerability Details

Impact Details

References

Proof of Concept

Proof of Concept

Step 0: Assumptions we are making

Step 1: Calling StakeV2::claimRewardsInNative

Step 2: Checking Balances:

Description

Brief/Intro

Vulnerability Details

Impact Details

References

Proof of Concept

Proof of Concept

Step 0: Assumptions we are making

Step 1: Calling StakeV2::claimRewardsInNative

Step 2: Checking Balances:

Step 1: Calling `StakeV2::claimRewardsInNative`

Step 1: Calling `StakeV2::claimRewardsInNative`