#42189 [SC-High] User rewards incorrectly transferred to `StakeV2` instead of claimant
Was this helpful?
Was this helpful?
Submitted on Mar 21st 2025 at 15:39:46 UTC by @Ragnarok for
Report ID: #42189
Report Type: Smart Contract
Report severity: High
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Permanent freezing of funds
Users may lose rewards when claiming them due to a portion of the rewards being transferred to the StakeV2
contract instead of the user.
When users claim rewards, they can call one of the following functions: claimRewardsInToken0
, claimRewardsInToken1
, claimRewardsInNative
, or claimRewardsInToken
.
In particular, the StakeV2::claimRewardsInToken0
function calls Zapper::zapOutToToken0
, which swaps token1
for token0
, then transfers all token0
to the user (receiver
parameter). However, any remaining token1
is sent to the StakeV2
contract (msg.sender
in the context of zapOutToToken0
) instead of the user.
This behavior is incorrect because the remaining token1
is part of the user's rewards and should be transferred to them. A similar issue occurs in other reward-claiming functions.
StakeV2::claimRewardsInToken0
function:
Users may lose a portion of their rewards when claiming them, as some rewards are inadvertently sent to the StakeV2
contract instead of the user.
Consider the following scenario:
The user calls StakeV2::claimRewardsInToken0
to claim rewards with swapData.inputAmount = 10 ether
.
After removeLiquidity
, the actual received amount of token1
is 11 ether
.
The remaining 1 ether
of token1
is incorrectly transferred to the StakeV2
contract instead of the user.