PrizeVault.claimYieldFeeShares()
resets yieldFeeBalance on every call
#73
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-59
edited-by-warden
🤖_10_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L617
Vulnerability details
Summary
Calling
PrizeVault.claimYieldFeeShares(uint256 _shares)
with any amount of_shares
(that passes function conditions) will result in loss of yield (loss ofyieldFeeBalance
inside vault) because it resetsyieldFeeBalance
. When yieldFeeRecipient calls this function with_shares
that is less then_yieldFeeBalance
and not equal to 0, it will lead to_yieldFeeBalance - shares
amount of yield being stuck in thePrizeVault
contact.Impact
Fees are stuck in
PrizeVault
contract.Proof of Concept
Add this test to
PrizeVault.t.sol
and run withforge test --match-contract PrizeVaultTest --match-test testClaimYieldFeeShares_LossOfFundsIfClaimNotAllYieldFeeBalance
Recommended Mitigation Steps
Substruct
_shares
instead of_yieldFeeBalance
inPrizeVault.claimYieldFeeShares()
.Assessed type
Math
The text was updated successfully, but these errors were encountered: