The StakeV2::executeRewardDistributionYeet() function incorrectly distributes pending withdrawals as rewards to remaining stakers, leading to protocol insolvency.
Vulnerability Details
The root cause lies in how totalSupply is decremented when users initiate withdrawals, while those tokens remain in the contract during the vesting period.
function startUnstake(uint256 unStakeAmount) external {
require(unStakeAmount > 0, "Amount must be greater than 0");
require(stakedTimes[msg.sender] < STAKING_LIMIT, "Amount must be less then the STAKING_LIMIT constant"); // DOS protection https://github.com/Enigma-Dark/Yeet/issues/12
_updateRewards(msg.sender);
uint256 amount = balanceOf[msg.sender];
require(amount >= unStakeAmount, "Insufficient balance");
balanceOf[msg.sender] -= unStakeAmount;
@> totalSupply -= unStakeAmount;
uint256 start = block.timestamp;
uint256 end = start + VESTING_PERIOD;
vestings[msg.sender].push(Vesting(unStakeAmount, start, end));
stakedTimes[msg.sender]++;
emit VestingStarted(msg.sender, unStakeAmount, vestings[msg.sender].length - 1);
}
The accumulatedDeptRewardsYeet() function calculates rewards as:
function accumulatedDeptRewardsYeet() public view returns (uint256) {
return stakingToken.balanceOf(address(this)) - totalSupply;
}
When users call startUnstake(), their tokens are subtracted from totalSupply but remain in the contract until the vesting period ends. This causes accumulatedDeptRewardsYeet() to incorrectly count pending withdrawal tokens as distributable rewards.
Impact
Incorrect handling of the totalSupply will lead to distribution of user's stake as rewards, which will lead to insolvency.
Proof of Concept
Proof of Concept
User A stakes 1000 YEET tokens
User A calls startUnstake(1000)
totalSupply decreases by 1000
Tokens remain in contract during 10 day vesting
During vesting period, manager calls executeRewardDistributionYeet()