search

code-423n4 / 2024-03-pooltogether-findings

5 stars 4 forks source link

`claimYieldFeeShares` decrements `yieldFeeBalance` by wrong amount #320

Closed c4-bot-3 closed 5 months ago

c4-bot-3 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611-L622

Vulnerability details

Impact

In claimYieldFeeShares the fee recipient can choose the amount of shares that they want to claim from the yieldFeeBalance. The issue is that currently, even if the fee recipient chooses a number less than the entire yieldFeeBalance, yieldFeeBalance is reset to 0, preventing the fee recipient from claiming any more of the fees they were initially granted. For example, if the fee recipient chooses to claim only 50 of 100 from the yieldFeeBalance, yieldFeeBalance will be reset to 0, and the fee recipient will not be able to claim the remaining 50 yield fees.

Proof of Concept

As we can see yieldFeeBalance is decremented by _yieldFeeBalance instead of _shares.

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617C13-L617C45

   yieldFeeBalance -= _yieldFeeBalance;

Tools Used

Manual review

Recommended Mitigation Steps

Update from:

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617C13-L617C45

   yieldFeeBalance -= _yieldFeeBalance;

To:

   yieldFeeBalance -= _shares;

Assessed type

Other

c4-pre-sort commented 5 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 5 months ago

raymondfam marked the issue as duplicate of #10

c4-pre-sort commented 5 months ago

raymondfam marked the issue as duplicate of #59

c4-judge commented 5 months ago

hansfriese marked the issue as satisfactory