claimYieldFeeShares
decrements yieldFeeBalance
by wrong amount
#320
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-59
🤖_10_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611-L622
Vulnerability details
Impact
In
claimYieldFeeShares
the fee recipient can choose the amount of shares that they want to claim from theyieldFeeBalance
. The issue is that currently, even if the fee recipient chooses a number less than the entireyieldFeeBalance
,yieldFeeBalance
is reset to 0, preventing the fee recipient from claiming any more of the fees they were initially granted.For example, if the fee recipient chooses to claim only 50 of 100 from the
yieldFeeBalance
,yieldFeeBalance
will be reset to 0, and the fee recipient will not be able to claim the remaining 50 yield fees.Proof of Concept
As we can see
yieldFeeBalance
is decremented by_yieldFeeBalance
instead of_shares
.https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617C13-L617C45
Tools Used
Manual review
Recommended Mitigation Steps
Update from:
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617C13-L617C45
To:
Assessed type
Other
The text was updated successfully, but these errors were encountered: