Yield Claim Rounding Errors
Summary
The function _getAccruedYieldPrivate() calculates accrued yield by subtracting wTokenSupply from aTokenBalance. However, rounding issues may cause wTokenSupply> aTokenBalance, resulting in an incorrect 0 return
Vulnerability Details
.Aave's interest model results in small discrepancies between aToken balance and wToken supply.
. If wTokenSupply is slightly larger due to rounding, _getAccruedYieldPrivate() returns 0 even when yield exists.
.Setup
.Alice deposits 1000 USDC and receives 1000 aUSDC and 1000 wUSDC.
. Overtime, 1 USDC yield accrues, so aUSDC balance = 1001, but wUSDC supply = 1002 due to rounding
.Exploit
. _getAccruedYieldPrivate() computes 1001 - 1002 = 0, meaning Alice gets zero yield
Consequences
Alice's accrued yield is permanently lost
Code location Concern
Impact
. If rounding favours aTokens, users may over claim yield, potentially causing fund shortages in the protocol
. If rounding favours wTokens, users may over claim yield, potentially causing fund shortages in the protocol
. Small differences in balance calculations may accumulate over time, leading to unexpected errors when redeeming yield.
Tools Used
Manual review
Recommendations
Fix
This ensures at least 1 wei is returned, avoiding unnecessary loss due to rounding errors
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.