YieldNest – Fee on withdrawal from strategy can lead to protocol’s loss

Due to this vulnerability the protocol experiences a loss of assets proportional to the fees charged.

Vulnerability Details

The Max Vaults allocate assets to KernelStrategy deployed contracts that stake assets in Kernel vaults. When a user requests to withdraw assets from the Max Vault, those assets are taken from a special KernelStrategy contract called the buffer strategy (i.e. ynWBNBk). However, when the funds in buffer strategy are not sufficient, the team has to withdraw funds from other strategies (e.g. ynBNBk).

The KernelStrategy contracts include a fee structure for withdrawals which does not work properly for all cases. During withdrawal from KernelStrategy to Max Vault and to the Buffer Strategy, the fee should not be applied. This is essential to prevent an increase in the share rate in the strategy from which the assets are withdrawn (causing a situation where more shares are burned than assets withdrawn) and ensure that other users who have deposited into the strategy do not unintentionally share in the fee distribution.

Attack scenario

Attackers could execute the following sequence:

1. The attacker deposits assets into the ynBNBk strategy which accepts deposits from anyone.
2. The attacker subsequently deposits assets into the Max Vault.
3. The team deposits assets from Max Vault into the ynBNBk strategy.
4. The attacker initiates a withdrawal of tokens back to the Max Vault.
5. There are no enough assets in the buffer strategy and the team has to withdraw assets from other strategies (e.g. ynWBNBk), incurring a fee that influences the share rate.
6. The attacker repeats steps 2-5.
7. The attacker withdraws assets from the yBNBk that have a higher value than the initial deposit in step 1.