Assessment reports>RabbitX>Low findings>Minimum amount of ,claimYield, does not work as intended
Category: Business Logic

Minimum amount of claimYield does not work as intended

Low Severity
Low Impact
High Likelihood

Description

The following is the code of the claimYield function:

uint256 constant HUNDRED_DOLLARS = 1e19;

// ...

function claimYield() external nonReentrant onlyClaimer {
    uint256 claimable = paymentToken.getClaimableAmount(address(this));
    if (claimable > HUNDRED_DOLLARS) {
        uint256 balanceBefore = paymentToken.balanceOf(address(this));
        paymentToken.claim(address(this), claimable);
        uint256 balanceAfter = paymentToken.balanceOf(address(this));
        require(balanceAfter > balanceBefore, "CLAIM_DIDNT_INCREASE_BALANCE");
        emit ClaimedYield(balanceAfter - balanceBefore);
    }
}

This code seems to enforce the minimum amount of claiming to be higher than a hundred dollars. However, this is misleading:

  1. It is assumed that the payment token is USDB; however, it can be changed through the setPaymentToken function.

  2. The constant HUNDRED_DOLLARS refers to 1e19, which would be 10 for the tokens with 18 decimals.

Impact

If the payment token of the contract is changed, this may affect the functionality of the claimYield function depending on the price of the new payment token.

This finding also documents the typo of the code affecting the logic.

Recommendations

Consider making the minimum amount of claiming to be configurable and changing the name or the value of the variable.

Remediation

Blast Futures notified us that they were previously aware of the typo issue. Blast Futures also stated that they do not expect to change the payment token unless it is required to do so due to a major event, and they would deploy the new contract if it breaks the functionality of the existing contract.

Zellic © 2025Back to top ↑