Users who deposit into a Prize Vault after the Prize Pool has shut down cannot earn any yield
Summary
The prize vault takes deposits of an asset and earns yield with the deposits through an underlying yield vault. The yield is then expected to be liquidated and contributed to the prize pool as prize tokens. The issue is that after a shutdown the yield is still contributed to the Prize Pool. Therefore, any users that have deposited funds after, or close to the date of the shutdown cannot win any yield from the Prize Pool.
Vulnerability Detail
After a Prize Pool goes into a shutdown state, either because of the Twab Controller or due to inactivity, users can withdraw their shutdown balance. The shutdown balance is the amount of prize tokens that a user can claim after the prize pool has been shut down. It is calculated using the user's TWAB and the total supply TWAB, whose time ranges are the grand prize period prior to the shutdown timestamp. After the shutdown, any new contributions are also distributed in the same way:
The issue is that the new contributions may not have come from the users who contributed 365 days prior to the shutdown timestamp, yet they still earn a portion of the new contributions. Therefore, not only will the contributions after the shutdown be distributed unfairly, but new depositors will not be able to earn anything as their portion numerator will be 0:
The short-term solution is to prevent contributions to the Prize Pool after it has shut down. A long-term solution would be to implement a system that distributes the new contributions fairly to the depositors after a shutdown.
trachev
medium
Users who deposit into a Prize Vault after the Prize Pool has shut down cannot earn any yield
Summary
The prize vault takes deposits of an asset and earns yield with the deposits through an underlying yield vault. The yield is then expected to be liquidated and contributed to the prize pool as prize tokens. The issue is that after a shutdown the yield is still contributed to the Prize Pool. Therefore, any users that have deposited funds after, or close to the date of the shutdown cannot win any yield from the Prize Pool.
Vulnerability Detail
After a Prize Pool goes into a shutdown state, either because of the Twab Controller or due to inactivity, users can withdraw their shutdown balance. The shutdown balance is the amount of prize tokens that a user can claim after the prize pool has been shut down. It is calculated using the user's TWAB and the total supply TWAB, whose time ranges are the grand prize period prior to the shutdown timestamp. After the shutdown, any new contributions are also distributed in the same way:
The issue is that the new contributions may not have come from the users who contributed 365 days prior to the shutdown timestamp, yet they still earn a portion of the new contributions. Therefore, not only will the contributions after the shutdown be distributed unfairly, but new depositors will not be able to earn anything as their portion numerator will be 0:
Impact
Users are at risk of a loss of funds, and having their deposits treated unfairly.
Code Snippet
https://github.com/sherlock-audit/2024-05-pooltogether/blob/1aa1b8c028b659585e4c7a6b9b652fb075f86db3/pt-v5-prize-pool/src/PrizePool.sol#L904-L932
Tool used
Manual Review
Recommendation
The short-term solution is to prevent contributions to the Prize Pool after it has shut down. A long-term solution would be to implement a system that distributes the new contributions fairly to the depositors after a shutdown.
Duplicate of #36