Was this helpful?
Submitted on Mar 19th 2025 at 10:03:41 UTC by @Oxgritty for
Report ID: #41907
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
When a user calls claimRewards(claimRewardsInNative/ claimRewardsInToken0/ claimRewardsInToken1/ claimRewardsInToken) function, his reward is converted into his choice of token, during this swapping the amount of token which was not used will be send to StakeV2.sol instead of the user.
When a user calls one of these functions(claimRewardsInNative/ claimRewardsInToken0/ claimRewardsInToken1/ claimRewardsInToken) to claim rewards and inside these functions we call a relevant zapOut function(like Zapper::zapOutNative for StakeV2::claimRewardsInNative or Zapper::zapOutToToken0 for StakingV2::claimRewardsInToken0) in Zapper.sol, Zapper.sol pays back the amount of unused debt to StakeV2.sol and StakeV2 does not send it back to the user.
Reward Claimer loses unused debt, as it is transferred to StakeV2.sol
This issue is present in all 4 claimRewards function:
Same problem with these other 3 functions as well
claimRewardsInToken0
claimRewardsInToken1
claimRewardsInToken
Bob has rewards of 50e18 vaultShares that he wants to claim in Native Token(BERA) using StakeV2::claimRewardsInNative
zapOutNative will turn 50e18 worth of vaultShares into the following Balances
45e18 (BERA)
2e18 (Token0)
3e18 (Token1)
StakeV2::claimRewardsInNativeBob calls StakeV2::claimRewardsInNative with amountToWithdraw=50e18 and function is successfully executed.
For StakeV2
Token0.balanceOf(address(StakeV2)) = 2e18
Token1.balanceOf(address(StakeV2)) = 3e18
BERA.balanceOf(address(StakeV2)) = 0
For Bob
Token0.balanceOf(address(Bob)) = 0
Token1.balanceOf(address(Bob)) = 0
BERA.balanceOf(address(Bob)) = 45e18
claimRewardsInNative
After Zapper::zapInNative, we should send unused debt back to the user, but we are not doing it.