Summary

A critical vulnerability exists in the VaultRouterBranch.stake() function where users silently lose their unclaimed WETH rewards when staking additional shares. The vulnerability stems from the reward distribution mechanism's improper handling of lastValuePerShare updates during staking operations. While the unstake() function properly protects users by reverting if unclaimed rewards exist, stake() lacks this protection, leading to permanent loss of rewards.

Vulnerability Details

The Zaros protocol implements a sophisticated reward distribution system where WETH rewards are allocated to vault stakers proportionally to their share holdings. The system uses a cumulative reward tracking mechanism with three key components:

1. Global Reward Tracking:

   • valuePerShare: A cumulative measure of rewards per share (in WETH)

   • Increases each time new rewards are distributed to the vault

   • Represents total historical rewards per share

2. User-Specific Tracking:

   • lastValuePerShare: User's checkpoint for reward calculations

   • Updated when user claims rewards or modifies their stake

   • Used as the baseline for calculating unclaimed rewards

3. Reward Calculation:

   unclaimedRewards = userShares * (valuePerShare - lastValuePerShare)

The vulnerability manifests in the reward accumulation logic, specifically in how Distribution.accumulateActor() is called during staking operations:

The core issue lies in how _updateLastValuePerShare() modifies the user's reward checkpoint without ensuring rewards are claimed:

• means if the user stake additional shares, the unclaimed rewards will be lost

To illustrate the vulnerability, consider this scenario:

1. Initial State (t0):

   User State:

   - Staked shares = 100

   - lastValuePerShare = 1.0 WETH/share

   - currentValuePerShare = 1.5 WETH/share

   - Unclaimed rewards = 100 * (1.5 - 1.0) = 50 WETH

2. User Stakes More (t1):

   Action: User stakes 50 more shares

   ​

   System Updates:

   1. accumulateActor() called

   2. lastValuePerShare → 1.5 (updated to current)

   3. total shares → 150

   ​

   Result:

   - New claimable = 150 * (1.5 - 1.5) = 0 WETH

   - Previous 50 WETH permanently lost

Note that The unstake() function correctly implements safety checks:

Impact

The vulnerability results in direct and permanent economic loss for stakers through:

Tools Used

Manual review

Recommendations

• Add Protective Revert (like unstake):