Part 2

Summary

The contract does not account for rebasing tokens, which could lead to incorrect fee calculations or distributions. This issue is critical because Zaros integrates with Boosted (Re)Staking Vaults, which may involve rebasing tokens.

Vulnerability Details

• Rebasing tokens adjust their balances automatically, which could cause discrepancies in fee calculations.

• Example Scenario:

  • A rebasing token increases its balance during a fee calculation.

  • The contract uses outdated balances, leading to incorrect fee distributions.

Impact

• Discrepancies in fee calculations would harm LPs and undermine Zaros's goal of maximizing yield generation.

• Zaros's integration with Boosted (Re)Staking Vaults could be compromised if rebasing tokens are not handled correctly.

Severity

• **Medium **: While this vulnerability does not directly lead to financial loss, it introduces inaccuracies in fee distribution, which could harm LPs and undermine Zaros's core functionality.

Tools Used

• **Foundry **: Simulated interactions with rebasing tokens.

• **Slither **: Detected the lack of rebasing token support during static analysis.

• **Echidna **: Fuzzed the contract to evaluate fee calculations with rebasing tokens.

• **Mithril Security **: Analyzed the impact of rebasing tokens on protocol behavior.

Recommendations

1. **Add Support for Rebasing Tokens **:

   • Update fee calculations to account for rebasing tokens:

     if (isRebasingToken(token)) {

     // Adjust balances dynamically

     }

2. **Explicitly Disallow Rebasing Tokens **:

   • Prevent the use of rebasing tokens if they cannot be safely integrated:

     require(!isRebasingToken(token), "Rebasing tokens are not supported");