Yield fee is permanently lost if fee claimer doesn't claim all the accumulated yield #180
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-59
🤖_10_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617
Vulnerability details
Impact
The protocol provides the ability to set yield fee and yield fee recipient when registering an Yield Vault in the Prize Vault Factory. The yield fee is accumulated when a user decides to transfer tokens out of the contract as seen in
PrizeVault::transferTokensOut
The accumulated yield can then be withdrawn by the yield fee recipient via
PrizeVault::claimYieldFeeShares
. The function takes in one parameter specifying the amount of accumulated yield shares to mint.However instead of subtracting the amount of shares from the yield fee balance, the balance is subtracted from itself, effectively setting it to zero loosing the
yildFeeBalance - _shares
amount.Note that this issue is not present if
_shares
==_yieldFeeBalance
.Proof of Concept
Add the following test to
Liquidate.t.sol
and run withforge test --mt testClaimYieldFeeShares_YieldDeleted -vvv
Tools Used
Manual Review, Foundry
Recommended Mitigation Steps
Assessed type
Math
The text was updated successfully, but these errors were encountered: