#42623 [SC-Critical] Potential Loss of Staked Tokens During Unstaking, Incorrect calculation of excess tokens in`accumulatedDeptRewardsYeet`
Was this helpful?
Was this helpful?
Submitted on Mar 25th 2025 at 03:37:48 UTC by @KaptenCrtz for
Report ID: #42623
Report Type: Smart Contract
Report severity: Critical
Target: https://github.com/immunefi-team/audit-comp-yeet/blob/main/src/StakeV2.sol
Impacts:
Protocol insolvency
Smart contract unable to operate due to lack of token funds
The accumulatedDeptRewardsYeet
function in the StakeV2
contract incorrectly calculates excess rewards by subtracting totalSupply
from the contract's stakingToken
balance. This calculation does not account for tokens locked during the vesting period, leading to the potential misallocation of staked tokens. If exploited, this could result in the permanent loss of user funds, as these tokens are sent to the zapper and cannot be recovered.
The vulnerability lies in the following code snippet from the accumulatedDeptRewardsYeet
function:
This function is designed to calculate the "excess rewards" in the contract, which are then distributed to the vaults via the executeRewardDistributionYeet
function. However, the calculation is flawed because it assumes that any tokens in the contract exceeding the totalSupply are excess rewards. This assumption is incorrect in scenarios where tokens are locked during the vesting period. The totalSupply
variable represents the total amount of tokens currently staked by users. Ideally, any tokens in the contract exceeding this amount should be considered as rewards or excess tokens that can be distributed.
The issue arises during the locking period when users initiate the unstaking process. During this period:
The totalSupply is reduced to reflect the user's unstaked amount.
However, the actual tokens remain in the contract until the vesting period ends.
If the accumulatedDeptRewardsYeet
function is called during this locked period, it incorrectly considers the locked tokens as "excess rewards." These tokens are then sent to the zapper via the executeRewardDistributionYeet
function, leaving no way to recover them for the user. This results in a permanent loss of user funds.
For example:
A user unstakes 100 tokens, initiating a 10-day vesting period.
The totalSupply is reduced by 100, but the tokens remain in the contract.
A manager calls executeRewardDistributionYeet, which uses accumulatedDeptRewardsYeet to calculate excess rewards.
The 100 locked tokens are sent to the zapper, leaving the user unable to reclaim them after the vesting period.
The impact of this vulnerability is severe:
Loss of User Funds: Locked tokens during the vesting period can be permanently lost if misallocated as excess rewards. Unable to claim tokens after locking period ends.
Financial Instability: If a significant number of tokens are misallocated, it could lead to substantial financial losses for both users and the protocol.
For example, if multiple users initiate unstaking and the manager repeatedly calls executeRewardDistributionYeet
, a large portion of staked tokens could be lost to the zapper. This could result in significant financial damage and loss of user confidence in the protocol.
Paste this above test in StakeV2.test.sol::StakeV2_HandleExcessDebt
,
.
.