The 4626 EIP specifies that in order for a contract to be fully compliant with the standard, the convertToShares function must not revert, except due to an integer overflow. The issue is that it is currently possible for PrizeVault's convertToShares function to revert due to a division by 0.
As if the total assets are less than the total debt, the function returns _assets.mulDiv(totalDebt_, _totalAssets, Math.Rounding.Down);. Therefore, if _totalAssets is 0 and totalDebt_ is more than 0 the function will revert. This is possible in the case that all users have withdrawn their deposits, but the fee recipient is yet to claim their yield fees and yieldFeeBalance is more than 0. The fact that yieldFeeBalance is more than 0 does not mean that the total assets will be more than 0, due to the fact that _totalAssets can always be decreased because of fees, slippage, or loss of funds in the underlying yield vault.
Impact
PrizeVault is not fully compliant with the ERC4626 standard.
Tools Used
Manual review
Recommended Mitigation Steps
In converToShares if _totalAssets is 0 and totalDebt_ is a positive number return 0.
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L341-L352
Vulnerability details
Vulnerability Details
The 4626 EIP specifies that in order for a contract to be fully compliant with the standard, the
convertToShares
function must not revert, except due to an integer overflow. The issue is that it is currently possible forPrizeVault
'sconvertToShares
function to revert due to a division by 0. As if the total assets are less than the total debt, the function returns_assets.mulDiv(totalDebt_, _totalAssets, Math.Rounding.Down);
. Therefore, if_totalAssets
is 0 andtotalDebt_
is more than 0 the function will revert. This is possible in the case that all users have withdrawn their deposits, but the fee recipient is yet to claim their yield fees andyieldFeeBalance
is more than 0. The fact thatyieldFeeBalance
is more than 0 does not mean that the total assets will be more than 0, due to the fact that_totalAssets
can always be decreased because of fees, slippage, or loss of funds in the underlying yield vault.Impact
PrizeVault
is not fully compliant with the ERC4626 standard.Tools Used
Manual review
Recommended Mitigation Steps
In
converToShares
if_totalAssets
is 0 andtotalDebt_
is a positive number return 0.Assessed type
ERC4626