Assessment reports>StakeKit>Patch Review>Patch Review

Patch Review

Incorrect performance fee calculation

We've reviewed the changes introduced in commit , specifically addressing the incorrect performance fee calculation in computeHarvestFee() which lead to undercharging on gains.

The fix resolves the undercharging issue by changing the perfFeeNum to multiply by SECONDS_IN_YEAR rather than timeElapsed. The updated logic appears sound.

-uint256 perfFeeNum = config.performanceFee * timeElapsed;
+uint256 perfFeeNum = config.performanceFee * SECONDS_IN_YEAR;

We also reviewed:

  • Upgrade safety: No concerns identified with respect to fee changes.

  • Integer safety: Confirmed that the calculation remains safe under 256-bit constraints; no risk of overflow.

  • Access control: The newly introduced claimMiscellaneousRewards function includes appropriate access control for sending non-strategy tokens to fee-recipient.

Based on our review, this patch effectively resolves the reported issue and introduces no new security concerns.

Zellic © 2025Back to top ↑