Was this helpful?
Submitted on Mar 24th 2025 at 15:07:29 UTC by @dobrevaleri for
Report ID: #42538
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Contract fails to deliver promised returns, but doesn't lose value
All StakeV2 claim functions emit misleading events when claiming rewards, as it only accounts for tokens received by the Zapper contract rather than the actual recipient.
The issue occurs in All StakeV2 claim functions where the Claimed event is emitted with the return value from the Zapper's withdrawal functions:
The problem is that the Zapper's _yeetOut() function returns 0 as claimed value if the recipient in either KodiakVaultUnstakingParams or VaultRedeemParams is different from the Zapper's address, which doesn't correctly represent the actual claimed assets. Also because of this the zapOutToToken1() will also return 0, which is used for emitting the Claimed event:
Events emit incorrect reward claim amounts
Off-chain systems tracking rewards through events will have incorrect data
Users may appear to have claimed 0 rewards when they actually received tokens
User has earned rewards in StakeV2
User calls claimRewardsInToken1() and sets the recipient in either unstakeParams or redeemParams to their address
The withdrawal executes successfully and user receives tokens
However, the Claimed event emits 0 as the claimed amount since the recipient wasn't the Zapper
Off-chain systems tracking rewards see a claim for 0 tokens despite actual tokens being transferred
