Closed c4-bot-9 closed 5 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #265
In addition to the comment of #265, claiming fee in a lossy state will not affect the state as yieldFeeBalance is already part of _totalDebt.
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611-L622
Vulnerability details
Vulnerability Details
Yield fees are accumulated when
transferTokensOut
is called. The function calculates the amount of available yield and takes out a percentage of that number, which is allocated for the yield fee recipient to claim.The issue is that the number of available yield that is calculated in
transferTokensOut
is highly likely to be different from the available yield when the yield fee recipient callsclaimYieldFeeShares
. Therefore, the following issue may occur: During periods where a lot of yield is earned from a yield vault,transferTokensOut
is called which increasesyieldFeeBalance
. Instead of claiming the yield fees immediately the fee receiver decides to wait until more fees are accrued. Time goes by and the vault enters a lossy state which can happen due to a loss of funds in the underlying vault. Now the number of available yield is less than what it was whentransferTokensOut
was initially called. Now, if the fee receiver decides to claim the fees the yield buffer will be fully depleted and shares that are not backed up by any assets will be minted to the receiver.Impact
This will prevent any user from depositing to the vault for a long-lasting period of time and will cause all withdrawals to be at a loss.
Tools Used
Manual review
Recommended Mitigation Steps
When the fee recipient calls
claimYieldFeeShares
it should be made sure that there is enough available yield, or the logic ofclaimYieldFeeShares
should be implemented inside oftransferTokensOut
.Assessed type
Other