Closed code423n4 closed 1 year ago
This seems to be the desired behavior as the liquidation is handled by another contract
asselstine marked the issue as sponsor confirmed
I've explained the yield fee mechanism in this comment: https://github.com/code-423n4/2023-07-pooltogether-findings/issues/124#issuecomment-1668505255
For the yield fee recipient to receive his vault shares, he needs to call the mintYieldFee
function: https://github.com/GenerationSoftware/pt-v5-vault/blob/44a6c6b081db5cc5e2acc4757a3c9dbaa6f60943/src/Vault.sol#L395
This report is incorrect and should not be part of the final report.
Picodes marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L550-#L587
Vulnerability details
Impact
Yield fee is not deducted from user's received shares
Proof of Concept
Function
liquidate
ofVault
is described asUser provides prize tokens and receives in exchange Vault shares.
. Basically, user will give prize token, then they receive back vault's shares after paying a fee configured by the vault. Below is the implementation functionliquidate
:As you can see, the code does not deduct the fee and user receive full
_amountOut
shares, also the fee is not transferred to_yieldFeeRecipient
. In fact, variable_yieldFeeRecipient
is not used in contract's at all other than the functions to set it.Below is a POC for the above example, for ease of testing, let's place this test case in file
vault/test/unit/Vault/Liquidate.t.sol
under contractVaultLiquidateTest
, then test it using command:forge test --match-path test/unit/Vault/Liquidate.t.sol --match-test testYieldFeeIsNotTransferred -vvvv
Tools Used
Manual review
Recommended Mitigation Steps
I recommend deducting the fee from liquidate user's shares and transfer to _yieldFeeRecipient
Assessed type
Other