#42152 [SC-Critical] `StakeV2::accumulatedDeptRewardsYeet` fails to account for pending vesting withdrawals which could cause contract insolvency
Was this helpful?
Was this helpful?
Submitted on Mar 21st 2025 at 10:34:08 UTC by @kmm for
Report ID: #42152
Report Type: Smart Contract
Report severity: Critical
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Protocol insolvency
Smart contract unable to operate due to lack of token funds
The StakeV2::accumulatedDeptRewardsYeet
function does not account tokens that are currently getting vested, which could cause the manager to user those funds to mint vault shares. Causing insolvency in the redeeming of staking tokens.
The function StakeV2::executeRewardDistributionYeet
, is used to convert excess Yeet amount, into vault shares to distribute to the stakeholders.
The amount is validated against StakeV2::accumulatedDeptRewardsYeet
.
When users want to withdraw they must create a request via StakeV2::startUnstake
.
Within the function totalSupply
is deducted but the tokens are not sent anywhere and the vesting for the user starts.
In this situation the manager is completely allowed to use these tokens, and cause insolvency and loss of funds for a lot of users.
totalSupply
is 1000, balanceOf is 1001
User creates a unstake vesting for 500 tokens
totalSupply=500
The manager is not aware of this and thinks there are 501 excess tokens
The manager reinvests them bringing balanceOf=500, totalSupply=500
The user after that claims his vesting, bringing balanceOf=0
, totalSupply=500
.
Users cannot withdraw due to insufficientBalance
The manager can no longer reinvest, due to underflow in accumulatedDeptRewardsYeet