Manager can leak funds during reward distribution
Description
The StakeV2 contract expects an onlyManager
-approved account to execute the reward distribution. If the Zapper contract has an approved Kodiak Vault that can be rounded down to zero, it is possible for rewards to be lost to stakers in StakeV2 during distribution.
The executeRewardDistribution()
function validates the results from zapping as follows:
(uint256 amountIslandTokens, uint256 vaultSharesMinted) =
zapper.zapInNative{value: amountToDistribute}(swap0, swap1, stakingParams, vaultParams);
require(amountIslandTokens == 0, "Amount of island tokens must be 0");
totalVaultShares += vaultSharesMinted;
This code block conducts checks to ensure island tokens have not been minted; however, it does check that vaultSharesMinted == 0
.
Impact
Either intentionally or accidentally, if vault shares are rounded down to zero, the StakeV2 contract transfers funds without receiving the rights to the rewards those funds generate.
Manager is a trusted role; therefore, likelihood of this attack is low. However, the total user reward is vulnerable, leading to a higher impact.
Recommendations
Reward distribution should ensure that vaultSharesMinted != 0
to avoid easy compromises of vault-share manipulation.
Remediation
This issue has been acknowledged by Sanguine Labs LTD, and a fix was implemented in commit 4ef36a6b↗.