The entire yieldFeeBalance could be permanently lost due to wrong balance update #233
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-59
🤖_10_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L617
Vulnerability details
Impact
The entire yieldFeeBalance could be permanently lost due to wrong balance update
Proof Of Concept
The issue is in the logic of the
claimYieldFeeShares()
function which is intended to allow the yield fee recipient to transfer out yield fee shares. The caller is allowed to specify a non-zero amount of the fee shares to claim and checks that the amount specified is not more than the fee balance else reverts. However, after this check if updates the yield fee balance and then mint the shares for the recipient. The issue here is that the yield fee balance gets updated by the overall balance instead of the amount being claimed:As you can see, it minuses the entire balance regardless of the amount of shares to be claimed. This means even when a fee recipient attempts to claim any small amount of fee share, the entire yieldFeeBalance will be permanently lost.
Tools Used
Manual Review
Recommendation
I recommend adding this fix:
Assessed type
Error
The text was updated successfully, but these errors were encountered: