Users may get Yield rewards less than they should

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2024-02-spectra/blob/383202d0b84985122fe1ba53cfbbb68f18ba3986/src/tokens/PrincipalToken.sol#L369-L374

Vulnerability details

Impact

Users may get Yield rewards less than they should

Proof of Concept

EIP-4626 mention that :

If implementors intend to support EOA account access directly, they should consider adding an additional function call for deposit/mint/withdraw/redeem with the means to accommodate slippage loss or unexpected deposit/withdrawal limits, since they have no other means to revert the transaction if the exact output amount is not achieved.

This does not apply to the claimYield function, this has the potential that when a user claims a rewards yield, the claimed yield may less than what it should be. The code below :

    function claimYield(address _receiver) public override returns (uint256 yieldInAsset) {
        uint256 yieldInIBT = _claimYield();
        if (yieldInIBT != 0) {
            yieldInAsset = IERC4626(ibt).redeem(yieldInIBT, _receiver, address(this));
        }
    }

Slippage protection should be applied here as in the main function of Redeem so that the assets received by the user are as they should be.

Tools Used

Manual review

Recommended Mitigation Steps

1. Go through the standards and follow it all.
2. Implementing slippage protection

Assessed type

ERC4626

[c4-pre-sort]

gzeon-c4 marked the issue as sufficient quality report

[c4-pre-sort]

gzeon-c4 marked the issue as primary issue

[gzeon-c4]

not out of spec, feature request

[c4-pre-sort]

gzeon-c4 marked the issue as duplicate of #253

[c4-judge]

JustDravee marked the issue as unsatisfactory: Invalid

[c4-judge]

JustDravee changed the severity to QA (Quality Assurance)

[c4-judge]

JustDravee marked the issue as grade-b