search
Active Boosts

#42518 [SC-Critical] Incorrect handling of total staked funds will lead to protocol insolvency

Submitted on Mar 24th 2025 at 13:23:43 UTC by @dobrevaleri for Audit Comp | Yeetarrow-up-right

  • Report ID: #42518

  • Report Type: Smart Contract

  • Report severity: Critical

  • Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol

  • Impacts:

    • Protocol insolvency

hashtag
Description

hashtag
Brief/Intro

The StakeV2::executeRewardDistributionYeet() function incorrectly distributes pending withdrawals as rewards to remaining stakers, leading to protocol insolvency.

hashtag
Vulnerability Details

The root cause lies in how totalSupply is decremented when users initiate withdrawals, while those tokens remain in the contract during the vesting period.

    function startUnstake(uint256 unStakeAmount) external {
        require(unStakeAmount > 0, "Amount must be greater than 0");
        require(stakedTimes[msg.sender] < STAKING_LIMIT, "Amount must be less then the STAKING_LIMIT constant"); // DOS protection https://github.com/Enigma-Dark/Yeet/issues/12
        _updateRewards(msg.sender);
        uint256 amount = balanceOf[msg.sender];
        require(amount >= unStakeAmount, "Insufficient balance");

        balanceOf[msg.sender] -= unStakeAmount;
@>      totalSupply -= unStakeAmount;

        uint256 start = block.timestamp;
        uint256 end = start + VESTING_PERIOD;
        vestings[msg.sender].push(Vesting(unStakeAmount, start, end));
        stakedTimes[msg.sender]++;
        emit VestingStarted(msg.sender, unStakeAmount, vestings[msg.sender].length - 1);
    }

$YEET tokens as rewards are distributed as:

The accumulatedDeptRewardsYeet() function calculates rewards as:

When users call startUnstake(), their tokens are subtracted from totalSupply but remain in the contract until the vesting period ends. This causes accumulatedDeptRewardsYeet() to incorrectly count pending withdrawal tokens as distributable rewards.

hashtag
Impact

Incorrect handling of the totalSupply will lead to distribution of user's stake as rewards, which will lead to insolvency.

hashtag
Proof of Concept

hashtag
Proof of Concept

  1. User A stakes 1000 YEET tokens

  2. User A calls startUnstake(1000)

    • totalSupply decreases by 1000

    • Tokens remain in contract during 10 day vesting

  3. During vesting period, manager calls executeRewardDistributionYeet()

    • accumulatedDeptRewardsYeet() returns 1000 (contract balance - totalSupply)

    • The 1000 tokens are distributed to other stakers as rewards

  4. After vesting period, User A tries to withdraw but contract lacks funds

Previous#42469 [SC-Critical] Incorrect computation of excess rewards leads to permanent freezing of user fundsNext#42525 [SC-High] Misallocation of leftover token1 in StakeV2.claimRewardsInToken0

Was this helpful?