Rewards are not up to date when users exit their shorts or claims yield
Summary
-
The protocol distributes yield to users gained from the LST ETH in the system. This yield is only realized within the system when updateYield() is called. The updateYield(vault) function checks if the value of the underlying ETH has increased, and if so, it will update the Vault.zethYieldRate.
-
A user receives yield in two ways, either from:
Distribute Yield: The distributeYield(assets[]) function, which loops over a list of assets and through a user's shortRecords, increasing both a user's zETH yield and token yield.
Disburse Collateral: The disburseCollateral function, which is called whenever collateral "leaves" a shortRecord. This is similar to distributeYield but pertains to a particular shortRecord and distributes yield only for the amount of collateral that is being decreased.
Vulnerability Details
A short's yield is calculated using the zethYieldRate, which is updated whenever the updateYield function is called.
Neither the distributeYield nor the disburseCollateral function call updateYield, meaning a user could potentially get fewer rewards than they would have if the zethYieldRate was up-to-date.
Impact
An outdated zethYieldRate in the distributeYield and disburseCollateral functions could lead to users receiving less yield than they should.
Tools Used
Manual Analysis
Recommendations
Invoke updateYield within both distributeYield and disburseCollateral functions to ensure that the zethYieldRate is always up-to-date during the yield distribution, thus preventing users from receiving less yield due to outdated rates.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.