yieldFeeBalance will all be lost if the feeRecipient claimed only a portion #76
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-59
🤖_10_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2024-03-pooltogether/blob/main/pt-v5-vault/src/PrizeVault.sol#L617
Vulnerability details
Overview
The PrizeVault facilitates asset deposits and accrues yield through an associated yield vault. This accrued yield is anticipated to be liquidated and allocated to the prize pool as prize tokens.
However, during the liquidation process, a fee is imposed, which accumulates in the yieldFeeBalance. The intended recipient of this fee can either claim the entire balance or opt to claim only a portion of it.
The issue arises when the feeRecipient opts to claim a partial amount, resulting in the forfeiture of the remaining balance.
Impact
Permanent loss of fee funds when the feeRecipient chooses to claim only a portion of the yieldFeeBalance.
Proof of Concept
The function claimYieldFeeShares is utilized by the feeRecipient to claim their portion of the yieldFeeBalance::
In this implementation, the _yieldFeeBalance is mistakenly subtracted from the yieldFeeBalance storage, resulting in the deletion of the entire balance instead of deducting the claimed shares.
For instance, if yieldFeeBalance is 1000 and the feeRecipient claims only 100 shares, they should be left with 900 shares. However, due to the flawed implementation, the entire balance is deleted, leaving the feeRecipient with 0 shares.
Tools Used
Manual review
Recommended Mitigation Steps
Consider subtracting the claimed shares from the yieldFeeBalance, :
Assessed type
Other
The text was updated successfully, but these errors were encountered: