Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sneaky Zinc Narwhal - the _getYieldFees can be bypassed #568

Open
sherlock-admin3 opened this issue Feb 17, 2025 · 0 comments
Open

Sneaky Zinc Narwhal - the _getYieldFees can be bypassed #568

sherlock-admin3 opened this issue Feb 17, 2025 · 0 comments

Comments

@sherlock-admin3
Copy link
Contributor

Sneaky Zinc Narwhal

High

the _getYieldFees can be bypassed

Summary

the _getYieldFees fee amount can be bypassed by using the function depositRewards instead of depositFromPairedLpToken in the contract **TokenReward ** in the function depositFromPairedLpToken if LEAVE_AS_PAIRED_LP_TOKEN is turned to true it will subtract _getYieldFees percentage but if the LEAVE_AS_PAIRED_LP_TOKEN is turned on we can still bypass it by using the depositRewards function with PAIRED_LP_TOKEN token argument
https://github.com/sherlock-audit/2025-01-peapods-finance/blob/main/contracts/contracts/TokenRewards.sol#L180

Root Cause

the depositRewards function doesnlt have a yieldfee calculaltion if the token is PAIRED_LP_TOKEN

Internal Pre-conditions

LEAVE_AS_PAIRED_LP_TOKEN have to be true

External Pre-conditions

nothing

Attack Path

nothing

Impact

fee will not be collected

PoC

No response

Mitigation

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin3