Back to 0xJoyBoy03's contests

PoolTogether - 0xJoyBoy03's results

General Information

Platform: Code4rena

Start Date: 04/03/2024

Pot Size: $36,500 USDC

Total HM: 9

Participants: 80

Period: 7 days

Judge: hansfriese

Total Solo HM: 2

Id: 332

League: ETH

PoolTogether

Findings Distribution

Researcher Performance

Rank: 55/80

Findings: 1

Award: $1.47

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPoolTogether

Findings Information

🌟 Selected for report: DarkTower

Also found by: 0xJaeger, 0xJoyBoy03, 0xRiO, 0xkeesmark, 0xlemon, 0xmystery, Abdessamed, AcT3R, Afriauditor, AgileJune, Al-Qa-qa, Aymen0909, Daniel526, DanielTan_MetaTrust, Dots, FastChecker, Fitro, GoSlang, Greed, Krace, McToady, SoosheeTheWise, Tripathi, asui, aua_oo7, btk, crypticdefense, d3e4, dd0x7e8, dvrkzy, gesha17, iberry, kR1s, leegh, marqymarq10, n1punp, pa6kuda, radin100, sammy, smbv-1923, trachev, turvy_fuzz, valentin_s2304, wangxx2026, y4y, yotov721, yvuchev, zhaojie

Awards

1.4652 USDC - $1.47

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
upgraded by judge
:robot:_10_group
duplicate-59

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-pooltogether/blob/480d58b9e8611c13587f28811864aea138a0021a/pt-v5-vault/src/PrizeVault.sol#L611

Vulnerability details

[M-1] The claimYieldFeeShares function will lose shares if shares != yieldFeeBalance

Description There is a mishandling of yieldFeeBalance in the claimYieldFeeShares function. this function will set the yieldFeeBalance to zero every time is called and doesn't handle the shares well:

    function claimYieldFeeShares(uint256 _shares) external onlyYieldFeeRecipient {
        if (_shares == 0) revert MintZeroShares();

        uint256 _yieldFeeBalance = yieldFeeBalance;
        if (_shares > _yieldFeeBalance) revert SharesExceedsYieldFeeBalance(_shares, _yieldFeeBalance);

        // @audit-medium the `YieldFeeRecipient` lose shares if shares != yieldFeeBalance
        // it should be `yieldFeeBalance -= _shares;` instead for mitigation
        yieldFeeBalance -= _yieldFeeBalance;

        _mint(msg.sender, _shares);

        emit ClaimYieldFeeShares(msg.sender, _shares);
    }

the claimYieldFeeShares function must subtract yieldFeeBalance with shares not with itself because for example if yieldFeeBalance was 10e18 and the yieldFeeRecipient wants just to call the claimYieldFeeShares with 1e18 shares then he would lose the other 9e18 shares which could mint. he had this potential to mint shares more and just lost it.

Impact funds are not at direct risk but yieldFeeRecipient will just lose shares that he could minted.

Recommend Mitigation

-	yieldFeeBalance -= _yieldFeeBalance;
+	yieldFeeBalance -= _shares;

Assessed type

Math

#0 - c4-pre-sort

2024-03-11T23:09:41Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2024-03-11T23:09:46Z

raymondfam marked the issue as duplicate of #10

#2 - c4-pre-sort

2024-03-13T04:38:47Z

raymondfam marked the issue as duplicate of #59

#3 - c4-judge

2024-03-15T07:37:32Z

hansfriese changed the severity to 3 (High Risk)

#4 - c4-judge

2024-03-15T07:37:37Z

hansfriese marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter