In claimYieldFeeShares the fee recipient can choose the amount of shares that they want to claim from the yieldFeeBalance. The issue is that currently, even if the fee recipient chooses a number less than the entire yieldFeeBalance, yieldFeeBalance is reset to 0, preventing the fee recipient from claiming any more of the fees they were initially granted.
For example, if the fee recipient chooses to claim only 50 of 100 from the yieldFeeBalance, yieldFeeBalance will be reset to 0, and the fee recipient will not be able to claim the remaining 50 yield fees.
Proof of Concept
As we can see yieldFeeBalance is decremented by _yieldFeeBalance instead of _shares.
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611-L622
Vulnerability details
Impact
In
claimYieldFeeShares
the fee recipient can choose the amount of shares that they want to claim from theyieldFeeBalance
. The issue is that currently, even if the fee recipient chooses a number less than the entireyieldFeeBalance
,yieldFeeBalance
is reset to 0, preventing the fee recipient from claiming any more of the fees they were initially granted. For example, if the fee recipient chooses to claim only 50 of 100 from theyieldFeeBalance
,yieldFeeBalance
will be reset to 0, and the fee recipient will not be able to claim the remaining 50 yield fees.Proof of Concept
As we can see
yieldFeeBalance
is decremented by_yieldFeeBalance
instead of_shares
.https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617C13-L617C45
Tools Used
Manual review
Recommended Mitigation Steps
Update from:
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617C13-L617C45
To:
Assessed type
Other