Users can lose unclaimed WETH fees when staking additional shares due to improper handling of fee accumulation state in the staking process. The vulnerability stems from the stake()
function updating accumulated fees without first ensuring pending fees are claimed.
VaultRouterBranch.sol:380~420
FeeDistributionBranch.sol:284~316
Distribution.sol:6164, 93104
I have identified that users can inadvertently lose their unclaimed WETH fees when staking additional shares. This occurs due to a critical interaction between the fee claiming and staking mechanisms.
In the FeeDistributionBranch.sol
contract, the claimFees()
function appropriately handles fee distribution by updating the actor's lastValuePerShare
through the accumulateActor()
call at L300
.
The core issue lies in the Distribution.sol
contract where _updateLastValuePerShare()
at L103
resets the accumulated fees when updating the actor's state:
However, the stake()
function in VaultRouterBranch.sol
calls accumulateActor()
without first ensuring that pending fees are claimed. This sequence of operations effectively zeroes out any unclaimed fees the user had accumulated before staking additional shares.
This vulnerability results in a direct financial loss for users who stake additional shares before claiming their pending WETH fees.
I recommend modifying the stake()
function in VaultRouterBranch.sol
to prevent users from staking when they have unclaimed fees:
This change ensures users must claim their pending rewards before staking additional shares, preventing any accidental loss of funds.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.