Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Yeet>Medium findings>Manager can leak funds during reward distribution
GeneralOverview
Findings
Critical (3)
High (1)
Medium (1)Manager can leak funds during reward distribution
Low (2)
Informational (1)
DiscussionInconsistencies in modifiers can lead to missing checksCircuitBreaker complexity introduces unnecessary attack surfaces
Threat ModelWhat are threat models?MoneyBrinter.solStakeV2.solZapper.sol
Audit ResultsAssessment Results
Category: Coding Mistakes

Manager can leak funds during reward distribution

Medium Severity
Medium Impact
Low Likelihood

Description

The StakeV2 contract expects an onlyManager-approved account to execute the reward distribution. If the Zapper contract has an approved Kodiak Vault that can be rounded down to zero, it is possible for rewards to be lost to stakers in StakeV2 during distribution.

The executeRewardDistribution() function validates the results from zapping as follows:

(uint256 amountIslandTokens, uint256 vaultSharesMinted) =
    zapper.zapInNative{value: amountToDistribute}(swap0, swap1, stakingParams, vaultParams);
require(amountIslandTokens == 0, "Amount of island tokens must be 0");
totalVaultShares += vaultSharesMinted;

This code block conducts checks to ensure island tokens have not been minted; however, it does check that vaultSharesMinted == 0.

Impact

Either intentionally or accidentally, if vault shares are rounded down to zero, the StakeV2 contract transfers funds without receiving the rights to the rewards those funds generate.

Manager is a trusted role; therefore, likelihood of this attack is low. However, the total user reward is vulnerable, leading to a higher impact.

Recommendations

Reward distribution should ensure that vaultSharesMinted != 0 to avoid easy compromises of vault-share manipulation.

Remediation

This issue has been acknowledged by Sanguine Labs LTD, and a fix was implemented in commit 4ef36a6b.

Zellic © 2025Back to top ↑