-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Any fee claim lesser than the total yieldFeeBalance
as unit of shares is lost and locked in the PrizeVault
contract
#59
Comments
raymondfam marked the issue as sufficient quality report |
raymondfam marked the issue as duplicate of #10 |
raymondfam marked the issue as high quality report |
raymondfam marked the issue as not a duplicate |
raymondfam marked the issue as primary issue |
It was deducting _shares in the previous vault though. |
trmid (sponsor) confirmed |
mitigation: GenerationSoftware/pt-v5-vault#85 |
hansfriese marked the issue as satisfactory |
hansfriese marked the issue as selected for report |
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L611-L622
Vulnerability details
Impact
Any fee claim by the fee recipient lesser than the accrued internal accounting of the
yieldFeeBalance
is lost and locked in thePrizeVault
contract with no way to pull out the funds.Proof of Concept
The
claimYieldFeeShares
allows theyieldFeeRecipient
fee recipient to claim fees in yields from thePrizeVault
contract. The claimer can claim up to theyieldFeeBalance
internal accounting and no more. The issue with this function is it presents a vulnerable area of loss with the_shares
argument in the sense that if the accrued yield fee shares is 1000 shares and the claimer claims only 10, 200 or even any amount less than 1000, they forfeit whatever is left of theyieldFeeBalance
e.g if you claimed 200 and hence got minted 200 shares, you lose the remainder 800 because it wipes theyieldFeeBalance
1000 balance whereas only minted 200 shares.Let's see a code breakdown of the vulnerable
claimYieldFeeShares
function:This line of the function caches the total yield fee balance accrued in the contract and hence, the fee recipient is entitled to e.g 100
This next line of code enforces a comparison check making sure the claimer cannot grief other depositors in the vault because the claimant could for example try to claim and mint 150 shares whereas they are only entitled to 100.
This line of code subtracts the cached total yield fee balance from the state yield fee balance e.g 100 - 100. So if say Bob the claimant tried to only mint 50 shares at this point in time with the
_shares
argument, the code wipes the entire balance of 100And this line of code then mints the specified
_shares
amount e.g 50 shares to Bob.So what essentially happens is:
Here's a POC for this issue. Place the
testUnclaimedFeesLostPOC
function inside thePrizeVault.t.sol
file and run the test.Tools Used
Manual review + foundry
Recommended Mitigation Steps
Adjust the
claimYieldFeeShares
to only deduct the amount claimed/mintedAssessed type
Other
The text was updated successfully, but these errors were encountered: