search

code-423n4 / 2024-03-pooltogether-findings

5 stars 4 forks source link

`_yieldFee` wrongly rounded down in `PrizeVault:transferTokensOut` #314

Closed c4-bot-1 closed 7 months ago

c4-bot-1 commented 7 months ago

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L675

Vulnerability details

Impact

_yieldFee was wrongly rounded down as the intention of the protocol was to round down to Yield balance and round up on Yieldfee as stated here; 

/ The liquid yield is computed by taking the available yield balance and multiplying it
        // by (1 - yieldFeePercentage), rounding down, to ensure that enough yield is left for the
        // yield fee.

This will ultimately cause Loss of yield fees to Yield balance.

Proof of Concept

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L675

Tools Used

Manual

Recommended Mitigation Steps

Round up on Yield fee

Assessed type

Error

c4-pre-sort commented 7 months ago

raymondfam marked the issue as insufficient quality report

raymondfam commented 7 months ago

Incorrect assumption and insufficient proof. liquid yield (or amountOut) is different than yield fee.

c4-pre-sort commented 7 months ago

raymondfam marked the issue as primary issue

c4-judge commented 7 months ago

hansfriese marked the issue as unsatisfactory: Invalid