The vulnerability leads to the inability to automatically withdraw WBNB from the KernelClisStrategy.
Vulnerability Details
The KernelClisStrategy contract is designed to stake deposited WBNB into the Kernel clisBNB vault. It happens automatically if the syncDeposit option is enabled. When an allocator initiates a withdrawal from the strategy, the contract verifies if the balance is adequate to fulfill the request.
If the balance is insufficient, which is often the case due to the strategy’s approach of predominantly staking assets in the Kernel vault, the contract attempts to unstake the required amount from Kernel.
IStakerGateway(strategyStorage.stakerGateway).unstakeClisBNB(assets - vaultBalance, referralId);However, the actual amount that is unstaked can differ from the requested amount. This discrepancy may arise in two scenarios:
- If the Lista DAO team has set a fee greater than zero (it was set to zero during the audit),
- If the available assets in Lista DAO strategies are below the requested withdrawal amount.
In such instances, the team must manually withdraw assets using the processor function to satisfy the withdrawal request.
Impact
MEDIUM – The vulnerability leads to the inability to automatically withdraw WBNB from the KernelClisStrategy.
Recommendation
Addressing this issue is complex. When a fee is applied in Lista DAO or when Kernel returns less WBNB than anticipated, it indicates that YieldNest has fewer assets available than expected.
To mitigate this, YieldNest could either offset the shortfall using treasury funds or pass the loss on to users.
- Offset the shortfall using treasury funds: the strategy contract should verify the actual amount unstaked and draw the remaining balance from the treasury.
- Pass the loss on to users: the strategy contract may either provide a lesser amount than requested (which would not comply with ERC4626) or request a larger quantity of assets from Kernel and adjust the total assets managed by the strategy accordingly. This approach would necessitate knowing the additional amount needed for the Kernel gateway request, but the strategy vault could establish a fixed additional percentage based on the Lista DAO fee, updating it as necessary.
References
Meet Composable Security
Get throughly tested by the creators of Smart Contract Security Verification Standard
