Closed c4-bot-10 closed 5 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
Incorrect assumption. _amountOut is typically _liquidYield or _maxAmountOut as determined liquidatableBalanceOf() with _yieldFee already taken care of. (_amountOut + _yieldFee) is then checked again ensuring they do not exceed _availableYield. If you deduct _yieldFee from _amountOut again, it's going to cause under liquidation.
hansfriese marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L690 https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L692
Vulnerability details
Impact
Yield fee is not accounted for during liquidation in the
PrizeVault::transferTokensOut
function during such liquidations. Therefore, the yield fee percentage relative to theamountOut
is lost.Proof of Concept
The function below executes liquidations in the
PrizeVault
contract. As intended by the PoolTogether protocol, the_yieldFee
is to be accounted for in the amount being liquidated but in the current implementation, it does not ensure such liquidations get deducted the relative fee while allocating the supposed fee to theyieldFeeBalance
.Breaking down the interesting part of the function logic, we can see that:
yieldFeeBalance
increments by the_yieldFee
this liquidation will incur._amountOut
. Hence, theyieldFeeBalance
has just incurred a loss that wasn't accounted for during the final transaction._mint
will happen with the full_amountOut
unit of shares instead of_amountOut - _yieldFee
In the POC below, the test is run with the code as is without the suggested mitigation in the recommended mitigation section of this report:
Place the test in the
PrizeVault.t.sol
file and run withforge test --mt testliquidationDoesntAccountYieldFeePOC -vv
Now, this other POC is run with the recommended mitigation applied to the PrizeVault contract code:
Place the test in the
PrizeVault.t.sol
file and run withforge test --mt testliquidationAccountsYieldFeePOC -vv
Tools Used
Manual review + foundry
Recommended Mitigation Steps
Adjust the logic to account for the
_yieldFee
in the final_amountOut
:Assessed type
Other