search

sherlock-audit / 2024-05-pooltogether-judging

9 stars 5 forks source link

0xSpearmint1 - Liquidator can avoid paying the yieldFee by liquidating small amounts #55

Closed sherlock-admin4 closed 3 months ago

sherlock-admin4 commented 3 months ago

0xSpearmint1

high

Liquidator can avoid paying the yieldFee by liquidating small amounts

Summary

Liquidator can avoid paying the yieldFee by liquidating small amounts

Vulnerability Detail

A PrizeVault owner will set the yieldFeePercentage that they expect liquidators to pay when liquidating yield.

It is calculated in transferTokensOut by the following formulae 

 _yieldFee = (_amountOut * FEE_PRECISION) / (FEE_PRECISION - _yieldFeePercentage) - _amountOut

A malicious liquidator can calculate an _amountOut such that for a given _yieldFeePercentage, the _yieldFee = 0

See the POC section for an example of a liquidator avoiding paying the fee

Impact

Liquidator has avoided paying the fee that they should pay to PrizeVault owners

If all liquidators employ this profitable strategy, PrizeVault owners will never accumulate yieldFeeBalance

Proof of Concept

Paste the following code into remix

// SPDX-License-Identifier: GPL-3.0

pragma solidity  ^0.8.2;

contract POC {
    function fee(uint256 _amountOut, uint256 _yieldFeePercentage) external pure returns (uint256 _yieldFee) {

    _yieldFee = (_amountOut * 10**9) / (10**9 - _yieldFeePercentage) - _amountOut;
  }
}

Input the following _amountOut = 9998 _yieldFeePercentage = 100000 (1 basis point)

Output 0: uint256: _yieldFee 0

Another Example

Input the following _amountOut = 998 _yieldFeePercentage = 1000000 (10 basis points)

Output 0: uint256: _yieldFee 0

Code Snippet

https://github.com/sherlock-audit/2024-05-pooltogether/blob/1aa1b8c028b659585e4c7a6b9b652fb075f86db3/pt-v5-vault/src/PrizeVault.sol#L731

Tool used

Manual Review

Recommendation

If _yieldFeePercentage != 0 then if _yieldFee = 0 revert the Tx

sherlock-admin3 commented 3 months ago

1 comment(s) were left on this issue during the judging contest.

infect3d commented:

low__ MIN_PRICE from LiquidationPair make this very unlikely to happen

nevillehuang commented 3 months ago

Invalid/low severity, in addition to the a minimum 100 wei price implemented for each auction, the amount loss from yield is almost zero. Gas costs would disincentive this as well.