search
Active Boosts

#42538 [SC-Insight] Incorrect value in events emitted in StakeV2

Submitted on Mar 24th 2025 at 15:07:29 UTC by @dobrevaleri for Audit Comp | Yeetarrow-up-right

  • Report ID: #42538

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol

  • Impacts:

    • Contract fails to deliver promised returns, but doesn't lose value

hashtag
Description

hashtag
Brief

All StakeV2 claim functions emit misleading events when claiming rewards, as it only accounts for tokens received by the Zapper contract rather than the actual recipient.

hashtag
Vulnerability Details

The issue occurs in All StakeV2 claim functions where the Claimed event is emitted with the return value from the Zapper's withdrawal functions:

function claimRewardsInToken1(
    uint256 amountToWithdraw,
    IZapper.SingleTokenSwap calldata swapData,
    IZapper.KodiakVaultUnstakingParams calldata unstakeParams,
    IZapper.VaultRedeemParams calldata redeemParams
) external nonReentrant {
    _updateRewards(msg.sender);
    IZapper.VaultRedeemParams memory updatedRedeemParams = _verifyAndPrepareClaim(amountToWithdraw, redeemParams);
    
    IERC20(redeemParams.vault).approve(address(zapper), amountToWithdraw);
    uint256 receivedAmount = zapper.zapOutToToken1(msg.sender, swapData, unstakeParams, updatedRedeemParams);
    
    emit Claimed(msg.sender, receivedAmount);
}

The problem is that the Zapper's _yeetOut() function returns 0 as claimed value if the recipient in either KodiakVaultUnstakingParams or VaultRedeemParams is different from the Zapper's address, which doesn't correctly represent the actual claimed assets. Also because of this the zapOutToToken1() will also return 0, which is used for emitting the Claimed event:

hashtag
Impact

  • Events emit incorrect reward claim amounts

  • Off-chain systems tracking rewards through events will have incorrect data

  • Users may appear to have claimed 0 rewards when they actually received tokens

hashtag
Proof of Concept

hashtag
Proof of Concept

  1. User has earned rewards in StakeV2

  2. User calls claimRewardsInToken1() and sets the recipient in either unstakeParams or redeemParams to their address

  3. The withdrawal executes successfully and user receives tokens

  4. However, the Claimed event emits 0 as the claimed amount since the recipient wasn't the Zapper

  5. Off-chain systems tracking rewards see a claim for 0 tokens despite actual tokens being transferred

Previous#42532 [SC-High] Compound function in MoneyBrinter can lead to loss of yieldNext#42539 [SC-Low] Incorrect `maxWithdraw()` returns lead to user failed withdrawals of returned maximum amount

Was this helpful?