_computeTargetBelongsToYT takes _yt.balanceOf(msg.sender) as a yield token balance of a user, but whenever user calls issue(address(user), 0) before maturity all of his unclaimedYields + _computeAccruedInterestInTarget(_gscales.maxscale, _lscale, yBal) will convert to yield tokens minus fees, so in collect function he will receive more.
0xVolodya
high
Users are not receiving full yield when collect on sunny days.
Summary
Some users will receive more target tokens on sunny days than they are supposed to.
Vulnerability Detail
Let's look at how computation is going on after maturity
napier-v1/src/Tranche.sol#L417
_computeTargetBelongsToYT
takes_yt.balanceOf(msg.sender)
as a yield token balance of a user, but whenever user callsissue(address(user), 0)
before maturity all of hisunclaimedYields + _computeAccruedInterestInTarget(_gscales.maxscale, _lscale, yBal)
will convert to yield tokens minus fees, so incollect
function he will receive more.Impact
I think users will receive less than they should after maturity in some cases
Code Snippet
Tool used
Manual Review
Recommendation
Add the accrued amount of yield tokens and unclaimed to the sunny formula calculation similar to this but take into account scale at maturity time