search

code-423n4 / 2024-03-pooltogether-findings

5 stars 4 forks source link

Claiming yield fees may fully deplete the yield buffer and render the vault into a lossy state #313

Closed c4-bot-9 closed 5 months ago

c4-bot-9 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611-L622

Vulnerability details

Vulnerability Details

Yield fees are accumulated when transferTokensOut is called. The function calculates the amount of available yield and takes out a percentage of that number, which is allocated for the yield fee recipient to claim.

The issue is that the number of available yield that is calculated in transferTokensOut is highly likely to be different from the available yield when the yield fee recipient calls claimYieldFeeShares. Therefore, the following issue may occur: During periods where a lot of yield is earned from a yield vault, transferTokensOut is called which increases yieldFeeBalance. Instead of claiming the yield fees immediately the fee receiver decides to wait until more fees are accrued. Time goes by and the vault enters a lossy state which can happen due to a loss of funds in the underlying vault. Now the number of available yield is less than what it was when transferTokensOut was initially called. Now, if the fee receiver decides to claim the fees the yield buffer will be fully depleted and shares that are not backed up by any assets will be minted to the receiver.

Impact

This will prevent any user from depositing to the vault for a long-lasting period of time and will cause all withdrawals to be at a loss.

Tools Used

Manual review

Recommended Mitigation Steps

When the fee recipient calls claimYieldFeeShares it should be made sure that there is enough available yield, or the logic of claimYieldFeeShares should be implemented inside of transferTokensOut.

Assessed type

Other

c4-pre-sort commented 5 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 5 months ago

raymondfam marked the issue as duplicate of #265

raymondfam commented 5 months ago

In addition to the comment of #265, claiming fee in a lossy state will not affect the state as yieldFeeBalance is already part of _totalDebt.

c4-judge commented 5 months ago

hansfriese marked the issue as unsatisfactory: Invalid