search
Active Boosts

#42033 [SC-Insight] MoneyBrinter contract does not consider farm's pausing status

Submitted on Mar 20th 2025 at 07:26:30 UTC by @trtrth for Audit Comp | Yeetarrow-up-right

  • Report ID: #42033

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/contracts/MoneyBrinter.sol

  • Impacts:

hashtag
Description

hashtag
Brief/Intro

The contract MoneyBrinter does not consider Kodiak farm's pausing status for staking and withdrawals. This can cause MoneyBrinter to be incompliant with ERC-4626

hashtag
Vulnerability Details

Both function depositFor() and withdrawTo() from Beradrome farm plugin contract handle withdraw locked all from Kodiak farm and continue to stake all into the farm. Here depositFor() is called by MoneyBrinter::deposit() and MoneyBrinter::mint(). The function withdrawTo()is called byMoneyBrinter::withdraw()andMoneyBrinter::redeem(). So all the core functions of MoneyBrinter` contract go through the steps Farm::withdrawLockedAll() -> Farm::stakeLocked().

    function depositFor(address account, uint256 amount) 
        public 
        override 
    {
        super.depositFor(account, amount);
        ICommunalFarm(farm).withdrawLockedAll();
        uint256 balance = IERC20(getUnderlyingAddress()).balanceOf(address(this));
        IERC20(getUnderlyingAddress()).safeApprove(farm, 0);
        IERC20(getUnderlyingAddress()).safeApprove(farm, balance);
        ICommunalFarm(farm).stakeLocked(balance, 0);
    }

    function withdrawTo(address account, uint256 amount) 
        public 
        override 
    {
        ICommunalFarm(farm).withdrawLockedAll(); 
        super.withdrawTo(account, amount);
        uint256 balance = IERC20(getUnderlyingAddress()).balanceOf(address(this));
        IERC20(getUnderlyingAddress()).safeApprove(farm, 0);
        IERC20(getUnderlyingAddress()).safeApprove(farm, balance);
        ICommunalFarm(farm).stakeLocked(balance, 0);
    }

On the other side, the farm contract has pausing feature for the staking and withdrawals. So in case only one of these two is paused, then the core functions of MoneyBrinter contract does not work and all funds can be temporarily locked in farm contract

hashtag
Impact Details

  • ERC-4626 incompliant

  • Contract's core functions can be unable to operate

hashtag
References

Farm contract: https://bartio.beratrail.io/token/0xbdEE3F788a5efDdA1FcFe6bfe7DbbDa5690179e6/contract/code

Beradrome plugin contract: https://bartio.beratrail.io/token/0x80D7759Fa55f6a1F661D5FCBB3bC5164Dc63eb4D/contract/code

hashtag
Proof of Concept

hashtag
Proof of Concept

  • Modify the test test_Valid_Deposit_Into_Beradrome in test file test/vault/Vault_IntegrationTest_ZeroFee.t.sol

  • Run the test by command forge t --mt test_Valid_Deposit_Into_Beradrome -vv and the console shows

It means that the maxDeposit() returns wrong value, and it is also impossible to deposit into the vault even when Kodiak farm only pauses withdrawals

Previous#42020 [SC-Critical] Inaccurate calculation in `accumulatedDeptRewardsYeet()` causes double counting of vesting tokens as excess, leading to permanent loss of user fundsNext#42039 [SC-High] When calling `StakeV2::claimRewardsInNative()` surplus $YEET are send to the StakeV2 contract instead of the user

Was this helpful?