Incorrect yieldFeeBalance
calculation
#29
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-59
🤖_10_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611-L622
Vulnerability details
Impact
PrizeVault::claimYieldFeeShares
transfers yield fee shares to the yield fee recipient. However, it incorrectly resets theyieldFeeBalance
to0
on each call, causing any remainingyieldFeeBalance
to be unclaimable indefinitely.Proof of Concept
PrizeVault::claimYieldFeeShares
#L611-622In the function, you can see that the value of
yieldFeeBalance
is stored in_yieldFeeBalance
, which is used to check if the number of shares entered exceeds the fees available to claim. However, we can see thatyieldFeeBalance
is then reduced by_yieldFeeBalance
, effectively resetting it to 0. Any fee balance that was previously claimable now becomes unclaimable indefinitely.This will cause issues if
_shares < yieldFeeBalance
. The correct way is to reduceyieldFeeBalance
by_shares
.Tools Used
Manual Review.
Recommended Mitigation Steps
Perform the correct calculation:
Assessed type
Math
The text was updated successfully, but these errors were encountered: